diff --git a/engineering-guide/accounts-and-groups.md b/engineering-guide/accounts-and-groups.md index 3cc972be..4cb18624 100644 --- a/engineering-guide/accounts-and-groups.md +++ b/engineering-guide/accounts-and-groups.md @@ -14,17 +14,26 @@ prefix or suffix: - Normal accounts. No prefix or suffix. Older accounts are just last names, newer accounts are LASTNAME_X, where X is the first letter of the given name. -- Global accounts. These have a `gac-` prefix. There are only a - handful of these on Linux so far, due to concerns about the lack of - login restrictions. +- Global accounts (or gac-accounts). These have a `gac-` prefix. These are shared accounts where several people know the password. Note that some global accounts were originially experiment accounts and share the properties of experiment accounts - Administrator accounts. Marked with an `-adm` suffix. - External users. These start with an `ext-` prefix and are provided to external users, ie. those who are not PSI employees. -- Service accounts. These come with an `svcusr-` prefix and are used - for running services. +- Experiment accounts (or e-accounts). These start with `e` followed by the uid (+ some global accounts which where renamed later). + These are managed by the [Digital User Office (DUO)](https://duo.psi.ch). + The password is shared by all users involved in the experiment. +- Service accounts. These come with an `svcusr-` prefix and are used for running services. Official documentation on PSI IT account naming convention can be found [here](https://psi.service-now.com/psisp?sys_kb_id=c498a3cb1bff68502c5940498b4bcb44&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=4877d78687cc1d10bc150d830cbb3540) +To be able to easily distinguish between the different account types, a user shall be assigned to + + | Unix Group | Accont Type | + |--------------------|-------------| + | `unx-lx_users` | normal user and administrator acccounts | + | `unx-lx_gac_users` | global accounts | + | `unx-lx_ext_users` | external accounts | + | `unx-lx_e_users` | experiment accounts | + ## UID Allocation | UID | GID | | @@ -32,17 +41,19 @@ Official documentation on PSI IT account naming convention can be found [here](h | 0 - 1000 | 100 - 1000 | local users / groups manually | | 1000 - 9999 | 110 - 9999 | old AD accounts manually | | 10000 - 29999 | 10000 - 29999 | e-accounts / p-groups Experiment prov. tool | - | 30000 - 65534 | 30000 - 65534 | new AD users / groups /external AD accounts OM msSFU30UidNumber | + | 30000 - 65534 | 30000 - 65534 | new AD users / groups /external AD accounts OM | | 70000 - 120000 | 70000 - 120000 | e-accounts / p-groups Experiment prov. tool | | 123458 - 150000 | -10000 - -4294967296 | local AFS users / groups AFS | - | 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM msSFU30UidNumber | + | 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM | | 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux | -## LDAP Attribute Mapping +## AD Attribute Mapping - | Attribute | LDAP Attribute | +For the [sssd-ldap(5)](https://man.archlinux.org/man/sssd-ldap.5.en) provider following mapping is used + + | passwd attribute | AD attribute | |-----------|------------------------| | username | `msSFU30Name` | | UID | `msSFU30UidNumber` | @@ -50,15 +61,38 @@ Official documentation on PSI IT account naming convention can be found [here](h | home | `msSFU30HomeDirectory` | | shell | `msSFU30LoginShell` | +We are on the process to move to the [sssd-ad(5)](https://man.archlinux.org/man/sssd-ad.5.en) provider. There we need following attributes: + + | passwd attribute | AD attribute | + |-----------|---------------------| + | username | `sAMAccountName` | + | UID | `uidNumber` | + | GID | `gidNumber` | + | home | `unixHomeDirectory` | + | gecos | `gecos` | + +Note that the `loginShell` attribute for the shell shall not be set as we only want to support Bash as login shell in the future. + +Finally the [gecos field](https://en.wikipedia.org/wiki/Gecos_field) shall be generated from other already existing AD attributes: + +,,,, + +example: +``` +Konrad Bucheli,OBBA/230,telephoneNumber,,konrad.bucheli@psi.ch +``` +Note the field 4 (home/mobile number) we do not set, thus we have an empty field with two commas in a row. + + ## Primary Groups +By default the user group is `unx-nogroup`. The exception are experiment accounts, where the primary group is the corresponding g-group. + +If there are good reasons (example?) another primary group might be set. + +Except for the default `unx-nogroup`, a user shall always also be explicit member of his primary group (e.g. member of the g-group for experiment accounts). At PSI the user-private group scheme (UPG), the default on Red Hat -distributions, is **not** used. Instead, every user\'s primary group is -usually one specific to the group/department the user is working for, -eg. `unx-ait`. - -Users for whom there is no natural choice of primary group are assigned -`unx-nogroup`. +distributions, is **not** used. ## Low GIDs @@ -95,12 +129,6 @@ A number of groups have very low GIDs (\<500), in particular: unx-dtp:*:451: unx-lsu:*:490: -## Shells - -We support bash, and we also try to keep tcsh working. - -Currently bash, tcsh, and sh are used. The form for ordering accounts -also offers `/bin/ksh` and `/bin/zsh`. The most popular by far is bash. ## Special Accounts diff --git a/engineering-guide/active-directory.md b/engineering-guide/active-directory.md index 8525b5c7..37af137b 100644 --- a/engineering-guide/active-directory.md +++ b/engineering-guide/active-directory.md @@ -32,10 +32,7 @@ In certain contexts (eg in [`sssd.conf(5)`](https://linux.die.net/man/5/sssd.con ## Linux Computer Objects Computer objects for Linux systems are created in -`OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch`. We currently do not distinguish -between servers and workstations in AD (unlike the Windows team), as the -distinction isn't clear and it wouldn't help us anyway (as we don't use AD group -policies). +`OU=linux,OU=servers,OU=psi,DC=d,DC=psi,DC=ch` or `OU=linux,OU=computers,OU=psi,DC=d,DC=psi,DC=ch` (workstation and consoles). We perform the join password-less, by pre-creating the computer object using a script running on the Puppet master.