diff --git a/admin-guide/architecture/accounts-and-groups.md b/admin-guide/architecture/accounts-and-groups.md index 6e4aaaf6..0ee66ceb 100644 --- a/admin-guide/architecture/accounts-and-groups.md +++ b/admin-guide/architecture/accounts-and-groups.md @@ -1,6 +1,4 @@ ---- -title: Accounts ---- +# Accounts Linux accounts are generally stored and managed in Active Directory. @@ -8,7 +6,7 @@ Linux accounts are generally stored and managed in Active Directory. Current user (uid) and group (gid) ranges can be found here: [UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf) ``` -# Account Types +## Account Types There are several types of accounts, which are usually indicated by a prefix or suffix: @@ -25,7 +23,7 @@ prefix or suffix: - Service accounts. These come with an `svcusr-` prefix and are used for running services. -# UID Allocation +## UID Allocation ---------------- ------------- Old accounts 1000-6000 @@ -34,7 +32,7 @@ prefix or suffix: New accounts 35000+ ---------------- ------------- -# LDAP Attribute Mapping +## LDAP Attribute Mapping Attribute LDAP Attribute ----------- ------------------------ @@ -44,7 +42,7 @@ prefix or suffix: home `msSFU30HomeDirectory` shell `msSFU30LoginShell` -# Primary Groups +## Primary Groups At PSI the user-private group scheme (UPG), the default on Red Hat distributions, is **not** used. Instead, every user\'s primary group is @@ -54,7 +52,7 @@ eg. `unx-ait`. Users for whom there is no natural choice of primary group are assigned `unx-nogroup`. -# Low GIDs +## Low GIDs A number of groups have very low GIDs (\<500), in particular: @@ -89,16 +87,16 @@ A number of groups have very low GIDs (\<500), in particular: unx-dtp:*:451: unx-lsu:*:490: -# Shells +## Shells We support bash, and we also try to keep tcsh working. Currently bash, tcsh, and sh are used. The form for ordering accounts also offers `/bin/ksh` and `/bin/zsh`. The most popular by far is bash. -# Special Accounts +## Special Accounts -## `linux_ldap`: query LDAP +### `linux_ldap`: query LDAP The [linux_ldap]{.title-ref} account has read-only permissions on a limited subset of the LDAP attributes. It is used by @@ -112,7 +110,7 @@ which contains the password, world-readable. This account **must not** be given additional access or privileges. -## `linuxadjoin.psi.ch@D.PSI.CH` +### `linuxadjoin.psi.ch@D.PSI.CH` This account is a pure AD account (ie it doesn\'t have Unix attributes like uid), which is used to manage computer objects in AD automatically.