4.6 KiB
Accounts
Linux accounts are generally stored and managed in Active Directory.
Current user (uid) and group (gid) ranges can be found here: [UID and GID Management](_static/UID_and_GID.pdf)
Account Types
There are several types of accounts, which are usually indicated by a prefix or suffix:
- Normal accounts. No prefix or suffix. Older accounts are just last names, newer accounts are LASTNAME_X, where X is the first letter of the given name.
- Global accounts. These have a
gac-prefix. There are only a handful of these on Linux so far, due to concerns about the lack of login restrictions. - Administrator accounts. Marked with an
-admsuffix. - External users. These start with an
ext-prefix and are provided to external users, ie. those who are not PSI employees. - Service accounts. These come with an
svcusr-prefix and are used for running services.
Official documentation on PSI IT account naming convention can be found here
UID Allocation
| UID | GID | |
|---|---|---|
| 0 - 1000 | 100 - 1000 | local users / groups manually |
| 1000 - 9999 | 110 - 9999 | old AD accounts manually |
| 10000 - 29999 | 10000 - 29999 | e-accounts / p-groups Experiment prov. tool |
| 30000 - 65534 | 30000 - 65534 | new AD users / groups /external AD accounts OM msSFU30UidNumber |
| 70000 - 120000 | 70000 - 120000 | e-accounts / p-groups Experiment prov. tool |
| 123458 - 150000 | -10000 - -4294967296 | local AFS users / groups AFS |
| 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM msSFU30UidNumber |
| 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux |
LDAP Attribute Mapping
| Attribute | LDAP Attribute |
|---|---|
| username | msSFU30Name |
| UID | msSFU30UidNumber |
| GID | msSFU30GidNumber |
| home | msSFU30HomeDirectory |
| shell | msSFU30LoginShell |
Primary Groups
At PSI the user-private group scheme (UPG), the default on Red Hat
distributions, is not used. Instead, every user's primary group is
usually one specific to the group/department the user is working for,
eg. unx-ait.
Users for whom there is no natural choice of primary group are assigned
unx-nogroup.
Low GIDs
A number of groups have very low GIDs (<500), in particular:
unx-fkt:*:101:
unx-lke:*:110:
unx-abe:*:120:stingelin
unx-aea:*:130:
unx-lmu:*:140:
unx-lem:*:141:
unx-muesr:*:150:
unx-asm:*:210:
unx-lrp:*:220:
unx-zrp:*:221:
unx-ash:*:230:
unx-ppt:*:280:
unx-pmr:*:290:
unx-cmt:*:301:
unx-lfk:*:310:
unx-lch:*:320:
unx-lns:*:330:
unx-lap:*:340:
unx-lmn:*:350:
unx-asq:*:360:
unx-crpp:*:370:
unx-psq:*:380:
unx-psz:*:390:
unx-gabe:*:402:
unx-lrs:*:410:
unx-lth:*:420:
unx-lwv:*:430:
unx-les:*:440:
unx-dtp:*:451:
unx-lsu:*:490:
Shells
We support bash, and we also try to keep tcsh working.
Currently bash, tcsh, and sh are used. The form for ordering accounts
also offers /bin/ksh and /bin/zsh. The most popular by far is bash.
Special Accounts
linux_ldap: query LDAP
The [linux_ldap]{.title-ref} account has read-only permissions on a limited subset of the LDAP attributes. It is used by [nslcd]{.title-ref}, for example, to query LDAP for users' uid, gid, etc.
The password should not be shared unnecessarily, but it does not need to be specifically protected either. In fact, in earlier releases of Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref}, which contains the password, world-readable.
This account must not be given additional access or privileges.
linuxadjoin.psi.ch@D.PSI.CH
This account is a pure AD account (ie it doesn't have Unix attributes like uid), which is used to manage computer objects in AD automatically. In particular, it is used to precreate computer objects to allow password-less AD joins.
The account is only used on the Puppet server and has no (known) password. Instead a keytab is used to get a valid Kerberos ticket.