write down account setup

engineering-guide/accounts-and-groups.md

@@ -14,17 +14,26 @@ prefix or suffix:
 -   Normal accounts. No prefix or suffix. Older accounts are just last
     names, newer accounts are LASTNAME_X, where X is the first letter of
     the given name.
--   Global accounts. These have a `gac-` prefix. There are only a
-    handful of these on Linux so far, due to concerns about the lack of
-    login restrictions.
+-   Global accounts (or gac-accounts). These have a `gac-` prefix. These are shared accounts where several people know the password. Note that some global accounts were originially experiment accounts and share the properties of experiment accounts
 -   Administrator accounts. Marked with an `-adm` suffix.
 -   External users. These start with an `ext-` prefix and are provided
     to external users, ie. those who are not PSI employees.
--   Service accounts. These come with an `svcusr-` prefix and are used
-    for running services.
+-   Experiment accounts (or e-accounts). These start with `e` followed by the uid (+ some global accounts which where renamed later).
+    These are managed by the [Digital User Office (DUO)](https://duo.psi.ch).
+    The password is shared by all users involved in the experiment.
+-   Service accounts. These come with an `svcusr-` prefix and are used for running services.
 
 Official documentation on PSI IT account naming convention can be found [here](https://psi.service-now.com/psisp?sys_kb_id=c498a3cb1bff68502c5940498b4bcb44&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=4877d78687cc1d10bc150d830cbb3540)
 
+To be able to easily distinguish between the different account types, a user shall be assigned to
+
+  | Unix Group         | Accont Type |
+  |--------------------|-------------|
+  | `unx-lx_users`     | normal user and administrator acccounts |
+  | `unx-lx_gac_users` | global accounts |
+  | `unx-lx_ext_users` | external accounts |
+  | `unx-lx_e_users`   | experiment accounts |
+
 ## UID Allocation
 
   | UID                     | GID                     |                               |
@@ -32,17 +41,19 @@ Official documentation on PSI IT account naming convention can be found [here](h
   | 0 - 1000                | 100 - 1000              | local users / groups manually |
   | 1000 - 9999             | 110 - 9999              | old AD accounts manually |
   | 10000 - 29999           | 10000 - 29999           | e-accounts / p-groups Experiment prov. tool |
-  | 30000 - 65534           | 30000 - 65534           | new AD users / groups /external AD accounts OM msSFU30UidNumber |
+  | 30000 - 65534           | 30000 - 65534           | new AD users / groups /external AD accounts OM |
   | 70000 - 120000          | 70000 - 120000          | e-accounts / p-groups Experiment prov. tool |
   | 123458 - 150000         | -10000 - -4294967296    | local AFS users / groups AFS |
-  | 200000 - 400000         | 200000 - 400000         | new AD users / groups /external AD accounts IAM msSFU30UidNumber |
+  | 200000 - 400000         | 200000 - 400000         | new AD users / groups /external AD accounts IAM |
   | 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux |
 
 
 
-## LDAP Attribute Mapping
+## AD Attribute Mapping
 
-  | Attribute | LDAP Attribute         |
+For the [sssd-ldap(5)](https://man.archlinux.org/man/sssd-ldap.5.en) provider following mapping is used
+
+  | passwd attribute | AD attribute    |
   |-----------|------------------------|
   | username  | `msSFU30Name`          |
   | UID       | `msSFU30UidNumber`     |
@@ -50,15 +61,38 @@ Official documentation on PSI IT account naming convention can be found [here](h
   | home      | `msSFU30HomeDirectory` |
   | shell     | `msSFU30LoginShell`    |
 
+We are on the process to move to the [sssd-ad(5)](https://man.archlinux.org/man/sssd-ad.5.en) provider. There we need following attributes:
+
+  | passwd attribute | AD attribute |
+  |-----------|---------------------|
+  | username  | `sAMAccountName`    |
+  | UID       | `uidNumber`         |
+  | GID       | `gidNumber`         |
+  | home      | `unixHomeDirectory` |
+  | gecos     | `gecos`             |
+
+Note that the `loginShell` attribute for the shell shall not be set as we only want to support Bash as login shell in the future.
+
+Finally the [gecos field](https://en.wikipedia.org/wiki/Gecos_field) shall be generated from other already existing AD attributes:
+
+<displayName>,<physicalDeliveryOfficeName>,<telephoneNumber>,,<mail>
+
+example:
+```
+Konrad Bucheli,OBBA/230,telephoneNumber,,konrad.bucheli@psi.ch
+```
+Note the field 4 (home/mobile number) we do not set, thus we have an empty field with two commas in a row.
+
+
 ## Primary Groups
+By default the user group is `unx-nogroup`. The exception are experiment accounts, where the primary group is the corresponding g-group.
+
+If there are good reasons (example?) another primary group might be set.
+
+Except for the default `unx-nogroup`, a user shall always also be explicit member of his primary group (e.g. member of the g-group for experiment accounts).
 
 At PSI the user-private group scheme (UPG), the default on Red Hat
-distributions, is **not** used. Instead, every user\'s primary group is
-usually one specific to the group/department the user is working for,
-eg. `unx-ait`.
-
-Users for whom there is no natural choice of primary group are assigned
-`unx-nogroup`.
+distributions, is **not** used.
 
 ## Low GIDs
 
@@ -95,12 +129,6 @@ A number of groups have very low GIDs (\<500), in particular:
     unx-dtp:*:451:
     unx-lsu:*:490:
 
-## Shells
-
-We support bash, and we also try to keep tcsh working.
-
-Currently bash, tcsh, and sh are used. The form for ordering accounts
-also offers `/bin/ksh` and `/bin/zsh`. The most popular by far is bash.
 
 ## Special Accounts
 

engineering-guide/active-directory.md

@@ -32,10 +32,7 @@ In certain contexts (eg in [`sssd.conf(5)`](https://linux.die.net/man/5/sssd.con
 ## Linux Computer Objects
 
 Computer objects for Linux systems are created in
-`OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch`. We currently do not distinguish
-between servers and workstations in AD (unlike the Windows team), as the
-distinction isn't clear and it wouldn't help us anyway (as we don't use AD group
-policies).
+`OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch` or `OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch` (workstation and consoles).
 
 We perform the join password-less, by pre-creating the computer object using a
 script running on the Puppet master.