Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
06ed1ee252f19cae2dffca20b7ce2d7e71d1153a
gitea-pages/admin-guide/architecture/accounts-and-groups.md

3.9 KiB
Raw Blame History

Accounts

Linux accounts are generally stored and managed in Active Directory.

Current user (uid) and group (gid) ranges can be found here:  [UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf)

Account Types

There are several types of accounts, which are usually indicated by a prefix or suffix:

  • Normal accounts. No prefix or suffix. Older accounts are just last names, newer accounts are LASTNAME_X, where X is the first letter of the given name.
  • Global accounts. These have a gac- prefix. There are only a handful of these on Linux so far, due to concerns about the lack of login restrictions.
  • Administrator accounts. Marked with an -adm suffix.
  • External users. These start with an ext- prefix and are provided to external users, ie. those who are not PSI employees.
  • Service accounts. These come with an svcusr- prefix and are used for running services.

Official documentation on PSI IT account naming convention can be found here

UID Allocation
Old accounts 1000-6000
GFA accounts 10000-30000
External users 30000-35000
New accounts 35000+

LDAP Attribute Mapping

Attribute LDAP Attribute
username msSFU30Name
UID msSFU30UidNumber
GID msSFU30GidNumber
home msSFU30HomeDirectory
shell msSFU30LoginShell

Primary Groups

At PSI the user-private group scheme (UPG), the default on Red Hat distributions, is not used. Instead, every user's primary group is usually one specific to the group/department the user is working for, eg. unx-ait.

Users for whom there is no natural choice of primary group are assigned unx-nogroup.

Low GIDs

A number of groups have very low GIDs (<500), in particular:

unx-fkt:*:101:
unx-lke:*:110:
unx-abe:*:120:stingelin
unx-aea:*:130:
unx-lmu:*:140:
unx-lem:*:141:
unx-muesr:*:150:
unx-asm:*:210:
unx-lrp:*:220:
unx-zrp:*:221:
unx-ash:*:230:
unx-ppt:*:280:
unx-pmr:*:290:
unx-cmt:*:301:
unx-lfk:*:310:
unx-lch:*:320:
unx-lns:*:330:
unx-lap:*:340:
unx-lmn:*:350:
unx-asq:*:360:
unx-crpp:*:370:
unx-psq:*:380:
unx-psz:*:390:
unx-gabe:*:402:
unx-lrs:*:410:
unx-lth:*:420:
unx-lwv:*:430:
unx-les:*:440:
unx-dtp:*:451:
unx-lsu:*:490:

Shells

We support bash, and we also try to keep tcsh working.

Currently bash, tcsh, and sh are used. The form for ordering accounts also offers /bin/ksh and /bin/zsh. The most popular by far is bash.

Special Accounts

linux_ldap: query LDAP

The [linux_ldap]{.title-ref} account has read-only permissions on a limited subset of the LDAP attributes. It is used by [nslcd]{.title-ref}, for example, to query LDAP for users' uid, gid, etc.

The password should not be shared unnecessarily, but it does not need to be specifically protected either. In fact, in earlier releases of Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref}, which contains the password, world-readable.

This account must not be given additional access or privileges.

linuxadjoin.psi.ch@D.PSI.CH

This account is a pure AD account (ie it doesn't have Unix attributes like uid), which is used to manage computer objects in AD automatically. In particular, it is used to precreate computer objects to allow password-less AD joins.

The account is only used on the Puppet server and has no (known) password. Instead a keytab is used to get a valid Kerberos ticket.

View Git Blame Copy Permalink