diff --git a/admin-guide/architecture/accounts-and-groups.md b/admin-guide/architecture/accounts-and-groups.md new file mode 100644 index 00000000..6e4aaaf6 --- /dev/null +++ b/admin-guide/architecture/accounts-and-groups.md @@ -0,0 +1,123 @@ +--- +title: Accounts +--- + +Linux accounts are generally stored and managed in Active Directory. + +```{note} +Current user (uid) and group (gid) ranges can be found here: [UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf) +``` + +# Account Types + +There are several types of accounts, which are usually indicated by a +prefix or suffix: + +- Normal accounts. No prefix or suffix. Older accounts are just last + names, newer accounts are LASTNAME_X, where X is the first letter of + the given name. +- Global accounts. These have a `gac-` prefix. There are only a + handful of these on Linux so far, due to concerns about the lack of + login restrictions. +- Administrator accounts. Marked with an `-adm` suffix. +- External users. These start with an `ext-` prefix and are provided + to external users, ie. those who are not PSI employees. +- Service accounts. These come with an `svcusr-` prefix and are used + for running services. + +# UID Allocation + + ---------------- ------------- + Old accounts 1000-6000 + GFA accounts 10000-30000 + External users 30000-35000 + New accounts 35000+ + ---------------- ------------- + +# LDAP Attribute Mapping + + Attribute LDAP Attribute + ----------- ------------------------ + username `msSFU30Name` + UID `msSFU30UidNumber` + GID `msSFU30GidNumber` + home `msSFU30HomeDirectory` + shell `msSFU30LoginShell` + +# Primary Groups + +At PSI the user-private group scheme (UPG), the default on Red Hat +distributions, is **not** used. Instead, every user\'s primary group is +usually one specific to the group/department the user is working for, +eg. `unx-ait`. + +Users for whom there is no natural choice of primary group are assigned +`unx-nogroup`. + +# Low GIDs + +A number of groups have very low GIDs (\<500), in particular: + + unx-fkt:*:101: + unx-lke:*:110: + unx-abe:*:120:stingelin + unx-aea:*:130: + unx-lmu:*:140: + unx-lem:*:141: + unx-muesr:*:150: + unx-asm:*:210: + unx-lrp:*:220: + unx-zrp:*:221: + unx-ash:*:230: + unx-ppt:*:280: + unx-pmr:*:290: + unx-cmt:*:301: + unx-lfk:*:310: + unx-lch:*:320: + unx-lns:*:330: + unx-lap:*:340: + unx-lmn:*:350: + unx-asq:*:360: + unx-crpp:*:370: + unx-psq:*:380: + unx-psz:*:390: + unx-gabe:*:402: + unx-lrs:*:410: + unx-lth:*:420: + unx-lwv:*:430: + unx-les:*:440: + unx-dtp:*:451: + unx-lsu:*:490: + +# Shells + +We support bash, and we also try to keep tcsh working. + +Currently bash, tcsh, and sh are used. The form for ordering accounts +also offers `/bin/ksh` and `/bin/zsh`. The most popular by far is bash. + +# Special Accounts + +## `linux_ldap`: query LDAP + +The [linux_ldap]{.title-ref} account has read-only permissions on a +limited subset of the LDAP attributes. It is used by +[nslcd]{.title-ref}, for example, to query LDAP for users\' uid, gid, +etc. + +The password should not be shared unnecessarily, but it does not need to +be specifically protected either. In fact, in earlier releases of +Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref}, +which contains the password, world-readable. + +This account **must not** be given additional access or privileges. + +## `linuxadjoin.psi.ch@D.PSI.CH` + +This account is a pure AD account (ie it doesn\'t have Unix attributes +like uid), which is used to manage computer objects in AD automatically. +In particular, it is used to precreate computer objects to allow +password-less AD joins. + +The account is only used on the Puppet server and has no (known) +password. Instead a keytab is used to get a valid Kerberos ticket. diff --git a/admin-guide/architecture/accounts-and-groups.rst b/admin-guide/architecture/accounts-and-groups.rst deleted file mode 100644 index 98ad2dbe..00000000 --- a/admin-guide/architecture/accounts-and-groups.rst +++ /dev/null @@ -1,139 +0,0 @@ -========== - Accounts -========== - -Linux accounts are generally stored and managed in Active Directory. - - -```{note} -Current user (uid) and group (gid) ranges can be found here: -[UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf) -``` - - - -Account Types -------------- - -There are several types of accounts, which are usually indicated by a prefix or -suffix: - -- Normal accounts. No prefix or suffix. Older accounts are just last names, - newer accounts are LASTNAME_X, where X is the first letter of the given name. -- Global accounts. These have a ``gac-`` prefix. There are only a handful of - these on Linux so far, due to concerns about the lack of login restrictions. -- Administrator accounts. Marked with an ``-adm`` suffix. -- External users. These start with an ``ext-`` prefix and are provided to - external users, ie. those who are not PSI employees. -- Service accounts. These come with an ``svcusr-`` prefix and are used for - running services. - - -UID Allocation --------------- - -============== =============== -Old accounts 1000-6000 -GFA accounts 10000-30000 -External users 30000-35000 -New accounts 35000+ -============== =============== - - -LDAP Attribute Mapping ----------------------- - -========= ======================== -Attribute LDAP Attribute ---------- ------------------------ -username ``msSFU30Name`` -UID ``msSFU30UidNumber`` -GID ``msSFU30GidNumber`` -home ``msSFU30HomeDirectory`` -shell ``msSFU30LoginShell`` -========= ======================== - - -Primary Groups --------------- - -At PSI the user-private group scheme (UPG), the default on Red Hat -distributions, is **not** used. Instead, every user's primary group is usually -one specific to the group/department the user is working for, eg. ``unx-ait``. - -Users for whom there is no natural choice of primary group are assigned -``unx-nogroup``. - - -Low GIDs --------- - -A number of groups have very low GIDs (<500), in particular:: - - unx-fkt:*:101: - unx-lke:*:110: - unx-abe:*:120:stingelin - unx-aea:*:130: - unx-lmu:*:140: - unx-lem:*:141: - unx-muesr:*:150: - unx-asm:*:210: - unx-lrp:*:220: - unx-zrp:*:221: - unx-ash:*:230: - unx-ppt:*:280: - unx-pmr:*:290: - unx-cmt:*:301: - unx-lfk:*:310: - unx-lch:*:320: - unx-lns:*:330: - unx-lap:*:340: - unx-lmn:*:350: - unx-asq:*:360: - unx-crpp:*:370: - unx-psq:*:380: - unx-psz:*:390: - unx-gabe:*:402: - unx-lrs:*:410: - unx-lth:*:420: - unx-lwv:*:430: - unx-les:*:440: - unx-dtp:*:451: - unx-lsu:*:490: - - -Shells ------- - -We support bash, and we also try to keep tcsh working. - -Currently bash, tcsh, and sh are used. The form for ordering accounts also -offers ``/bin/ksh`` and ``/bin/zsh``. The most popular by far is bash. - - -Special Accounts ----------------- - -``linux_ldap``: query LDAP -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The `linux_ldap` account has read-only permissions on a limited subset of the -LDAP attributes. It is used by `nslcd`, for example, to query LDAP for users' -uid, gid, etc. - -The password should not be shared unnecessarily, but it does not need -to be specifically protected either. In fact, in earlier releases of -Scientific Linux it was necessary to have `/etc/nslcd.conf`, which -contains the password, world-readable. - -This account **must not** be given additional access or privileges. - -``linuxadjoin.psi.ch@D.PSI.CH`` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This account is a pure AD account (ie it doesn't have Unix attributes like uid), -which is used to manage computer objects in AD automatically. In particular, it -is used to precreate computer objects to allow password-less AD joins. - -The account is only used on the Puppet server and has no (known) password. -Instead a keytab is used to get a valid Kerberos ticket.