Linux desktops Red Hat Enterprise Linux 3 customization

and Scientific Linux 3 customization

Author: L.S.Lowe. File: rhel3custom. This update: 20060721. Part of Guide to the Local System.

This file is intended to be a list of customizations I've applied to a Red Hat Enterprise Linux 3 system (RHEL3) and/or a Scientific Linux 3 system (SL3). They should also be appropriate for CentOS and White Box Enterprise Linux. This might have relevance for Fedora installations too. The new or revised customizations are marked *. This file started life based on my RedHat Linux 9 customization page, and some left-overs from that may still be present. There is also now a Red Hat Enterprise 4 customization page.

These are the customisations that we apply to our systems after doing a kickstart install, and as needed after that. The files are distributed using rdist. Some files are system configurations which are installed in place: there may be an associated rdist action to restart a corresponding system service. Other files are simply action scripts in the sense that rdist runs them after transferring or updating them: these are mostly installed in /root/conf.

SL30x differences

See this document on Scientific Linux 30x differences.

* /bin/ksh

In SL3 there are two potential versions of the ksh shell: ksh93 and pdksh; in fact if you install Everything, then both RPMs will be on the system, though of course only one binary will be at /bin/ksh! (RHEL3 has just the familiar pdksh). With the ksh93 package then there's a potential problem for users who have /bin/ksh as their login shell. That version doesn't appear to work properly, for me, when used in the X login sequence:
   /etc/X11/xdm/Xsession -> /etc/X11/xinit/Xclients -> exec -l $SHELL -c ssh-agent ....
It's at that point that the user's profile should be executed, but it doesn't happen. So instead, use pdksh, which does work, and suppress ksh93. I see that SL4 doesn't include ksh93!

* /etc/X11/Xresources

This update overcomes a problem with sub-pixel rendering of fonts on TFT flat-panel monitors (also known as subpixel font anti-aliasing) when using the KDE interface. In RedHat 9, fonts have nice anti-alias effects using grey pixels around font characters. In RHEL3 and SL3, by default, KDE gives fonts which are anti-aliased using sub-pixel colors. For me, this results in colour fringing round the font characters, which may well not be intended, and which is a bit unpleasant, in my view. This doesn't happen for Gnome. The KDE Control Center Font settings for sub-pixel hinting have no effect. Various ideas off the web of setting rgba:none in /etc/fonts/local.conf also didn't work for me. A comparison of xrdb -q output under KDE and under Gnome shows that Gnome sets a resource Xft.rgba: none if sub-pixel rendering is off, and KDE doesn't. A circumvention then is to add the line Xft.rgba: none to /etc/X11/Xresources, so that it is set for KDE as well as for Gnome.

* /usr/share/apps/kdesktop/DesktopLinks

This directory contains prototype desktop icons for a new KDE user. Add a file USBdisk in the desktop format, which will then appear (along with the other desktop files in this directory) in a new user's Desktop folder. Remove the file starthere.desktop which we don't use. Modify file CD by changing Name=CD/DVD-ROM to something without a slash, so that this file gets copied for a new user - otherwise it's omitted!

* /usr/share/fonts/MSfonts

This directory contains TrueType fonts originally from Microsoft, such as Arial, Comic Sans MS and Verdana. These are/were freely available from Microsoft, which is how I got mine, from their Typography site.

Having created the /usr/share/fonts/MSfonts directory and put the .ttf files there, I ran (in that current directory):

   ttmkfdir > fonts.scale; mkfontdir; fc-cache

Simply adding this directory was sufficient for some applications like Mozilla to find these fonts. For others, I needed to chkfontpath -a /usr/share/fonts/MSfonts which updates the /etc/X11/xfs/config file as well as telling the font server.

Microsoft TrueType fonts are also available as RPMs, which do all the postinstall actions required too, from this site. The ttf files in these RPMs contain more international encodings than mine (and so are quite a bit fatter).

* /etc/yum.conf

Updated to choose which mirrors we use for updating the system with yum. The yum update to the latest RPMs first takes place as a %post-install operation when our desktop PCs and worker nodes are initially loaded.


Customised to include local machines to reduce impact of DNS failure.


Customised to ALL: ALL.


Customised to restrict who can use the crontab command (empty file means nobody).


Provided as an effective alias for ls -l under any shell.


Configures /etc/pine.conf for local conventions. By providing this as a script, we avoid having to re-write every time pine is upgraded.


Loads the openafs RPM if necessary. Already present for SL3.


Configures AFS cell and cache.


Removes /usr/local directories from search PATH in /etc/anacrontab. Don't know why they're there; cron doesn't have them so why should anacron?


Deactivates cron actions in /etc/cron.d/ and /var/spool/cron/ for packages we don't use yet.


Configures local services on or off using /sbin/chkconfig.


Configures hostname in /etc/sysconfig/network to have a consistent case and format across machines.


Changes the order of preference in /etc/X11/fs/config to choose 100dpi fonts before 75dpi ones.

* /etc/sysconfig/desktop

Set the default desktop and display-manager to KDE.


Chooses correct iptables setup for the target host.


The normal configuration for /etc/sysconfig/iptables on our desktops.


Merges local groups into /etc/group.


Merges local users into /etc/passwd.


Static routes for our desktops (if any).


Merges local /etc/fstab.{nfs,usb}* files into /etc/fstab.


NFS entries to be merged into /etc/fstab


USB entries to be merged into /etc/fstab, like /mnt/usbdisk.


Local daily tasks.


Customised so I'm not inundated by emails from logwatch on every desktop PC each morning: just the important bits.


See above. A particular irritation is when logwatch sends information about the sendmail log entries corresponding to the email it sent me about the sendmail log entries yesterday! Removing this file or modifying what it looks for will fix this problem.


Local startup tasks.


Tweak this system script to add the fork option to the mount:
 mount -a -t nfs -F 
Without this, if more than one file-server is not working at boot time, then the mount(s) for each failed file-server causes a wait of 7 minutes 18 seconds (or thereabouts), so four would make about half-an-hour - irritating long! Note that it's for each file-server and not for each file-system. With the -F option, then the mounts for different file-servers are done in parallel, so these long wait times do not accumulate.


See /sbin/dhclient-script.


Customized initial home directory files for new users.


Customized log rotation to keep logs by month and for longer.


Customised /etc/mailcap calls /usr/local/bin/pdfviewer rather than /usr/bin/xpdf for PDF files, allowing a user environment variable to choose between xpdf and acroread. Also customised for OpenOffice equivalents to ms-word, ms-excel and ms-powerpoint.

/etc/mailcap is used by the pine mail client by default, also by mozilla.


A worthy addition to /etc/profile or /etc/profile.d/something is a check to see if the $HOME file system is full. A full $HOME can lead to several insidious errors without necessarily showing any relevant error message. For example, when logging on to a server with a full $HOME file system, ssh X11 forwarding can't be properly set up because $HOME/.Xauthority cannot be updated, and when you later start an X application, you get the message:
   X11 connection rejected because of wrong authentication.
   X connection to localhost:10.0 broken (explicit kill or server shutdown).


Customized system logging.


Customise which files are included in the default locate/slocate database. For desktops, add /mnt to PRUNEPATHS so that usb flash disks and other temporary devices are not included in the default daily scan. Also, for file-servers, add their mount point to PRUNEPATHS so that exported file areas are not included either, as users can't see this database anyway. Note that even though this conf file looks like it is sourced only by the /etc/cron.daily/slocate.cron script, updatedb appears to read it directly.

To give users similar info for those exported NFS disks, our file-servers do a twice-weekly updatedb scan of each exported disk, and write the resulting database to a special info directory on that exported disk. Then we have a mylocate script for users, which accesses that database to report on just that user's files. I guess if performance was an issue, one could create an individual slocate database for each user.


Change the font size and heading text on the kdm login panel.

Also comment-out the section headed [Desktop0], because changes in this section here do not work anyway, and the section name gives rise to the syslog error message:

   kdm_config[nnnn]: Unrecognized section name [Desktop0] at /usr/share/config/kdm/kdmrc:42
Instead, put any welcome-screen background changes in the file /etc/kde/kdm/backgroundrc. Note that kdm runs because I have configured DISPLAYMANAGER in /etc/sysconfig/desktop.


For hosts that I want to provide a local X-terminal XDMCP listener service, this configures file /etc/X11/xdm/kdmrc to set Enable=true. Note that kdm runs because I have configured DISPLAYMANAGER in /etc/sysconfig/desktop.


Configured to limit access to XDMCP service to local X-terminals (access also limited by iptables).


This script (amongst other things) creates a new /etc/resolv.conf file when new information is received from the DHCP client daemon. For me, I have customised it to add an extra line to /etc/resolv.conf:
         options timeout:1 rotate 
which sets a query time-out of 1 second (default RES_TIMEOUT is 5 seconds, which is longer than the attention span of some users) and rotate queries amongst the DNS nameservers.


The Postscript-to-PDF utilities (like ps2pdf) all use this ps2pdfwr script. The default in Ghostscript is US-letter size paper. By default, even with an A4 Postscript file, a PDF file created by those utilities crops the top of each A4 page. This can be corrected by the user by specifying the papersize in the environmental variable GS_OPTIONS.

But locally I have added export GS_OPTIONS=${GS_OPTIONS:--sPAPERSIZE=a4} near the top of this script, to save the ordinary user some hassle. This way it's easy enough for the expert user to override, on the odd occasions that A4 is not required.


Symbolic link to the macromedia flash plug-in, triggers installation of the flash package for mozilla (download links here).


Customised mozilla by adding a file of pref calls for local printers and a print.printer_list. Also see /opt/Mozilla and /opt/Firefox below.

* /usr/local/lib/pine.conf and /usr/local/lib/pine.conf.fixed

SL only. These two are soft-links to the corresponding files in the /etc directory. This is necessary for version pine-4.58-2 in SL3; fixed in next pine version apparently.

* /usr/share/applications/redhat-web.desktop

This file defines the desktop action when the web browser front panel icon is clicked on. Even though it is part of the htmlview package (which provides the user with a configurable way of invoking their favourite browser), it is actually a symbolic link to an action that always invokes mozilla! My replacement for the above desktop file instead invokes htmlview. Then the user can configure which browser by setting up a file $HOME/.htmlviewrc: for example, to invoke firefox instead of mozilla, it could contain:

htmlview is also invoked (for example) by mail clients like pine on displaying an html file, because htmlview is defined in /etc/mailcap. So the user gets a consistent browser.

* /usr/share/applnk-local

Directory containing our local KDE applications directories, which are linked in to /var/lib/menu/kde/Applications.


Extra local icons.


Added to configure the artsd sound server: for example to turn off artsd completely by preventing it starting at KDE logon, or to have a shorter suspend idle time. The options can also be configured on a user-by-user basis by using KDE Control Center -> Sound & Multimedia -> Sound System -> ARTs, and the kcmartsrc file so created in $HOME/.kde/share/config could be used as the model for the system-wide file.


Customized to use energy saving DPMS modes on monitors by default. Customized so as not to exportKDEColors by default. The original default gives rise to X11 resources being set up, which appear in a xrdb -query, for applications like nedit and xwp/wordperfect which the user might never use, and sneakily also sets kprinter as the default printer setting for acroread and gv. The user can set the original default back if s/he wishes using KDE Control Centre -> Appearance & Themes -> Colors/Colours -> Apply colors to non-KDE applications. The resource files are in /usr/share/apps/kdisplay/app-defaults.


Customized so that by default a single-click is required to start an application from an icon rather than a double-click. I'm not in favour of this retro double-click! Also change default Widget style.

Change the shortcut key combination for ending a KDE session from Alt-Ctrl-Delete to Alt-Ctrl-End: Ctl-Alt-Del is used by MS Windows client viewers to terminal servers, and users don't want to have to learn new shortcuts just for when they're viewing from Linux.

The file manager konqueror generates previews of files by default, even when the file might need processing through ghostscript for example, which is all very nice if it works. But it's buggy, and kdeinit kio_thumbnail processes using 100% cpu for hours are not uncommon. Also, some users might like to retain a meaningful last access time for files. So turn konqueror previews off by default (is there a better way?):

The last line is superfluous provided the MaximumSize isn't overridden. The user can always turn previews back on using Settings -> Configure Konqueror -> Previews in the konqueror file manager.


Change default Printsystem to CUPS: it's what we use, and it gets rid of those annoying messages "ypcat: can't get local yp domain: Local domain name not set".


Customize our local kicker Panel: demote those OpenOffice applications back to the start menu where they belong.

* /usr/share/config/konsolerc

Remove the Menubar and Toolbar by default from konsole (too confusing for users), set the default height of the konsole window just a few pixels taller so that we don't lose the descenders of characters on the bottom line - looks like a miscalculation by konsole.


When you start an application from the panel, by default the mouse cursor changes to a blinking image associated with the application started. If the application is a screen grabber then sometimes the grabbed image is somehow corrupted by this blinking cursor. To turn the facility off, in the [FeedbackStyle] section of the above file, add BusyCursor=false.



Add customised files for these screensavers to show some pictures rather than "The screen saver is not configured yet" or "No images found", particularly when the screensaver was chosen randomly.


Change the default PluginLib to kwin_keramik, and window MoveMode and ResizeMode to Transparent rather than Opaque, by default.

* /usr/bin/startkde

Customised to add xmessage commands for errors like Not enough free disk space on /tmp, rather than just dropping the user back to the login screen without visible comment.

Also if /var/lib/menu/kde already exists, don't invoke /usr/bin/desktop-create-kmenu. At system start-up, and elsewhere (not here as we are in user mode), we soft-link our two local applications directories in /usr/share/applnk-local into /var/lib/menu/kde/applications at the top level. There may be a better way of doing this but I don't know what it is!


This renames files in /usr/share/apps/kscreensaver/ScreenSavers/ like KSolarWinds.desktop and KFountain.desktop to a non-desktop suffix, so that they aren't chosen by the random screensaver choice, and don't appear in the screensaver chooser panel. Some screensavers like SolarWinds are just too busy, particularly for multi-user hosts!

* /root/conf/xfreerc

This chooses between several /etc/X11/XF86Config.versions according to the target, depending on the graphics card and whether the PC has a wheel-mouse, to set up the X server, and sets the default runlevel in /etc/inittab to 5.

It may be necessary to configure /etc/X11/XF86Config a bit by hand if the particular keyboard is not our standard layout or language: our default is Option "XkbLayout" "gb", and also /etc/sysconfig/keyboard contains KEYTABLE="uk" for text-mode sessions.


* /etc/rc.d/init.d/sendmail

A tiny modification of the sendmail start/stop script, so that it doesn't start or kill the sendmail port 25 listener if DAEMON=no: there's no reason to run that daemon if nothing arrives in the /var/spool/mqueue queue, as in our configuration: see below.

* /etc/sysconfig/sendmail

Configuration file which sets DAEMON=no and SMQUEUE to 5 minutes (this is the queue retry time for the submit sendmail daemon): see below.

* /etc/mail/

A customized version of the sendmail local submit configuration, so that it has FEATURE(`msp', `[my.mail.relay]') instead of []. It is unnecessary to configure /etc/mail/ see below.

By default in RHEL, SL, and RedHat 9, outgoing email takes an unnecessary extra hop. A mail client (such as pine) invokes /usr/sbin/sendmail which runs under user:group smmsp:smmsp (using configuration to send email to localhost port 25. A sendmail daemon (running under smmsp:smmsp and using configuration runs to retry any mail sitting in the /var/spool/clientmqueue directory that failed to get through to this local port first time. Another sendmail daemon (which uses configuration is configured to listen on localhost port 25 and do the real work of mail relaying: forwarding email to the local mail hub or to the big wide world, first enqueuing it in /var/spool/mqueue. Only if this host is a mailhub would it be configured to listen on to receive email from the big wide world.

For our desktop clients, having a sendmail daemon listening to localhost port 25 and running in root mode is unnecessary and is potentially a security issue if a bug is found in sendmail. So the configuration file (see above) is set up so that the email is forwarded to the local mailhub in one hop. This has the side advantage that mailq -Ac will actually show if mail is for some reason still on the local desktop - not possible for the ordinary user if the mail has disappeared and gone into the port 25 listener. We just then have the one sendmail daemon (non-root, using the configuration to retry emails in /var/spool/clientmqueue which failed first time to the local mailhub.

* /etc/cups/ppd/*

* /etc/cups/lpoptions

* /etc/cups/printers.conf

* /etc/cups/cupsd.conf

Various CUPS printer system files distributed for our desktop systems, so we don't have to configure our shared printers individually on each desktop.

* /usr/local

Distributed files for our local desktops.

* /usr/local/bin/acroread

This wrapper script was created to fix several problems with Adobe Acrobat Reader (acroread) at version 5. It is not really necessary for Adobe Acrobat Reader 7 (or later, hopefully). First it unsets the LANG variable to allow acroread 5 to work, avoiding Warning: charset UTF-8 not supported message and abort. Also, mozilla invokes acroread (or our pdfviewer script) without a current directory (this is still true at the time of writing), which causes the acroread version 5 binary to fail, so the acroread wrapper script does a cd "$PWD" which fixes the problem if invoked by mozilla, and is harmless otherwise. Also we have a feature to put debugging into effect (option -DEBUG acrodebug) if the file /tmp/acro.debug exists.

* /opt/Adobe/Acrobat7.0

Acrobat Reader 7 (acroread) installation, and version 5 in a similar directory. These are as downloaded from Adobe.

Version 7 at my current release (7.0.1) has a PostScript printing bug, whereby some PDF files, which display perfectly correctly on the screen, produce print output which is garbled and where characters are replaced by substitute garbage characters like "h" or "x". You would have thought that Adobe could get PostScript right!! This error occurs on any of my printers, and when printing to a disk file, and when using acroread in its -toPostScript non-GUI mode. Analysing the PostScript output with the gs command shows lots of undefined characters - "Substituting .notdef for A", for example - but this is not a ghostscript problem because the gibberish also occurs when printed on any genuine PostScript printer in a direct way which never goes near ghostscript or CUPS or any other such system.

Although some advice on the web is to re-set the LANG or other associated variables, as noted above for the display-time problem with Acrobat Reader 5, this did not work for me with Acrobat Reader 7 when printing.

The circumvention for this, I have found, is to tick the Save Printer Memory tick-box at the bottom of the Print dialogue window. Then the print-out is perfect. For non-GUI invocation with -toPostScript option, add the -saveVM option. Presumably this then causes acroread in its PostScript output to specify font characters in a different way which is not subject to the bug.

The other circumvention is of course to use xpdf.

A further bug with acroread 7 seems to occur when the -toPostScript option is used without further arguments, that is, when used as a filter with output to standard output. The last portion of the PostScript output (a few thousand bytes) was missing: the output size was an exact multiple of 8 kbytes, presumably because of a failure to flush. This does not happen when output is to a disk file.

With the older version Acrobat Reader 5, to avoid an error with some PDFs (message says An error has occurred that may be fixed by installing the latest version of the Korean Language Support package) I installed the Adobe Korean font package.

* /opt/Mozilla-1.x.x/defaults/pref/bham.js

This added file contains additional pref() calls to add more printer command definitions. It also sets the default paper size to A4:
         pref("print.postscript.paper_size", "A4");

* /opt/Mozilla-1.x.x/plugins

This directory has some added symbolic links to Mozilla-compatible plugins for Flash, Java, and RealPlayer. Depends on versions installed: as of March 2005 these links are/were: -> /usr/lib/flash-plugin/ -> /usr/java/jre1.5.0_01/plugin/i386/ns7/ -> /usr/lib/mozilla/plugins/ -> /opt/RealPlayer-10/mozilla/
  nphelix.xpt -> /opt/RealPlayer-10/mozilla/nphelix.xpt

These all work well. It's said, though, that after a browser upgrade, it's possible that a Java page can crash the browser. This doesn't happen for a fresh user, so maybe it would be sufficient to remove the user's pluginreg.dat and/or plugins directory contents. It's also possible to crash the browser on a Java page if the user has set up a spoofed useragent string: this caught me out recently, but it's a known problem in Java initialisation.


All the above for Mozilla also apply for Firefox.

* /opt/RealPlayer-10

The RealPlayer10 package was downloaded from the Real website. The older RealPlayer8 package, plus RV9 codecs, was previously downloaded via this Netscape/Mozilla plugins web page.

Note it is necessary with KDE to ensure the artsd daemon is disabled or suspended (artsshell suspend) while realplayer is running. Although artsd starts with autosuspend 60 by default, that doesn't mean that it's in the suspend state when you want it to be! (Arts can be configured or turned off in a kcmartsrc file or using Control Center: see above). Alternatively could use the artsdsp command to start realplay - haven't tried that yet myself.

* /usr/lib/ICAClient

Triggers installation of the ICAClient rpm, for our Citrix server.

A customisation I have had to apply in our script which invokes the ICA client is to disable the artsd daemon or suspend it (artsshell suspend) while the ICA client is running (see realplayer comments above). This appears to be necessary even if sound is disabled in the user's ICA client configuration. Otherwise a terminal server session can hang just after the point where the user has logged in but before any desktop icons appear: an strace shows that opening /dev/dsp was the last operation.

* /usr/bin/opera

* /usr/java

packages downloaded from Sun here.

* /usr/bin/gmplayer

packages downloaded starting from the mplayerhq home page.

Also mplayer plugin package (to help with streaming) obtained from this sourceforge site or earlier versions here.

* /usr/bin/X11/xv

* /usr/bin/qdel

The above files trigger installation of the corresponding package RPM(s).

Now some hardware issues that had to be sorted out:

BIOS settings: legacy USB support

On our Intel blade servers we had occasional problems when rebooting: the boot stalls, and can be stuck forever, soon after the message Hugetlbfs mounted, or the repeated message: pc_keyb: controller jammed (0x1D). For us, this occasional problem can be prevented completely by disabling legacy USB support in the BIOS, though other people suggest an alternative of adding a kernel parameter of usb-handoff. Another (probably related) problem is that keyboard input is sometimes blocked after removing and then re-inserting a PS/2 keyboard lead, which for my blades is connected to a Belkin KVM switch, which then is unable to switch to another blade (even by selector button)! Disabling USB legacy support also seems to stop that problem.

SCSI multi-lun support

A scsi-attached disk RAID unit which used several non-zero LUNs had to be attached to a particular server. The aic79xx driver was being used. Although the RAID group LUNs were recognised by the firmware-level scsi support, they were not recognised by the SL3/RHEL3 system. (Note: there was no similar problem with a SL4 system with the 2.6 kernel, but there were reasons for using SL3/RHEL3).

The first point to check in this situation was that the SCSI utility available at boot time showed that the scsi card was configured to support multiple LUNs on that channel.

The suggestion in Red Hat documentation of using a /etc/modules.conf addition of options scsi_mod max_scsi_luns=255 and then remaking the initrd and rebooting, did not work. Neither (together or separately) did the kernel command line option max_scsi_luns=8, as suggested in kernel-docs file kernel-options.txt. However, the following method worked nicely; substitute the 4 decimal numbers listed at bios startup identifying the device:

   echo "scsi add-single-device $scsibus $chan $dev $lun' > /proc/scsi/scsi
On re-visiting this problem a year later, using an Adaptec 39160 scsi card, with the aic7xxx driver, it was at first thought that the add-single-device technique was still required. However, after putting the options line as above into /etc/modules.conf, and then updating the kernel to the current version (2.4.21-47.0.1.EL), it was found that that was sufficient for each of the LUNs (0, 1, 2) to be found, without the add-single-device technique. Possibly the later kernel and/or driver had fixed the problem, or possibly initrd had not been remade as required, the first time round. Another possibility is that the first time there was no LUN 0, unlike the revisited case, which would be a different scenario.

Birmingham Particle Physics Group