6.2 KiB
Accounts and Groups
Linux accounts are generally stored and managed in Active Directory.
Account Types
There are several types of accounts, which are usually indicated by a prefix or suffix:
- Normal accounts. No prefix or suffix. Older accounts are just last names, newer accounts are LASTNAME_X, where X is the first letter of the given name.
- Global accounts (or gac-accounts). These have a
gac-prefix. These are shared accounts where several people know the password. Note that some global accounts were originially experiment accounts and share the properties of experiment accounts - Administrator accounts. Marked with an
-admsuffix. - External users. These start with an
ext-prefix and are provided to external users, ie. those who are not PSI employees. - Experiment accounts (or e-accounts). These start with
efollowed by the uid (+ some global accounts which where renamed later). These are managed by the Digital User Office (DUO). The password is shared by all users involved in the experiment. - Service accounts. These come with an
svcusr-prefix and are used for running services.
Official documentation on PSI IT account naming convention can be found here
To be able to easily distinguish between the different account types, a user shall be assigned to
| Unix Group | Accont Type |
|---|---|
unx-lx_users |
normal user and administrator acccounts |
unx-lx_gac_users |
global accounts |
unx-lx_ext_users |
external accounts |
unx-lx_e_users |
experiment accounts |
UID Allocation
| UID | GID | |
|---|---|---|
| 0 - 1000 | 100 - 1000 | local users / groups manually |
| 1000 - 9999 | 110 - 9999 | old AD accounts manually |
| 10000 - 29999 | 10000 - 29999 | e-accounts / p-groups Experiment prov. tool |
| 30000 - 65534 | 30000 - 65534 | new AD users / groups /external AD accounts OM |
| 70000 - 120000 | 70000 - 120000 | e-accounts / p-groups Experiment prov. tool |
| 123458 - 150000 | -10000 - -4294967296 | local AFS users / groups AFS |
| 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM |
| 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux |
AD Attribute Mapping
For the sssd-ldap(5) provider following mapping is used
| passwd attribute | AD attribute |
|---|---|
| username | msSFU30Name |
| UID | msSFU30UidNumber |
| GID | msSFU30GidNumber |
| home | msSFU30HomeDirectory |
| shell | msSFU30LoginShell |
We are on the process to move to the sssd-ad(5) provider. There we need following attributes:
| passwd attribute | AD attribute |
|---|---|
| username | sAMAccountName |
| UID | uidNumber |
| GID | gidNumber |
| home | unixHomeDirectory |
| gecos | gecos |
Note that the loginShell attribute for the shell shall not be set as we only want to support Bash as login shell in the future.
Finally the gecos field shall be generated from other already existing AD attributes:
<displayName>,<physicalDeliveryOfficeName>,<telephoneNumber>,,<mail>
example:
Konrad Bucheli,OBBA/230,+41563102724,,konrad.bucheli@psi.ch
Note the field 4 (home/mobile number) we do not set, thus we have an empty field with two commas in a row.
Primary Groups
By default the primary user group is unx-nogroup (710). The exception are experiment accounts, where the primary group is the corresponding g-group.
If there are good reasons (example?) another primary group might be set.
Except for the default unx-nogroup, a user shall always also be explicit member of his primary group (e.g. member of the g-group for experiment accounts).
At PSI the user-private group scheme (UPG), the default on Red Hat distributions, is not used.
Low GIDs
A number of groups have very low GIDs (<500), in particular:
unx-fkt:*:101:
unx-lke:*:110:
unx-abe:*:120:stingelin
unx-aea:*:130:
unx-lmu:*:140:
unx-lem:*:141:
unx-muesr:*:150:
unx-asm:*:210:
unx-lrp:*:220:
unx-zrp:*:221:
unx-ash:*:230:
unx-ppt:*:280:
unx-pmr:*:290:
unx-cmt:*:301:
unx-lfk:*:310:
unx-lch:*:320:
unx-lns:*:330:
unx-lap:*:340:
unx-lmn:*:350:
unx-asq:*:360:
unx-crpp:*:370:
unx-psq:*:380:
unx-psz:*:390:
unx-gabe:*:402:
unx-lrs:*:410:
unx-lth:*:420:
unx-lwv:*:430:
unx-les:*:440:
unx-dtp:*:451:
unx-lsu:*:490:
Special Accounts
linux_ldap: query LDAP
The [linux_ldap]{.title-ref} account has read-only permissions on a limited subset of the LDAP attributes. It is used by [nslcd]{.title-ref}, for example, to query LDAP for users' uid, gid, etc.
The password should not be shared unnecessarily, but it does not need to be specifically protected either. In fact, in earlier releases of Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref}, which contains the password, world-readable.
This account must not be given additional access or privileges.
linuxadjoin.psi.ch@D.PSI.CH
This account is a pure AD account (ie it doesn't have Unix attributes like uid), which is used to manage computer objects in AD automatically. In particular, it is used to precreate computer objects to allow password-less AD joins.
The account is only used on the Puppet server and has no (known) password. Instead a keytab is used to get a valid Kerberos ticket.