Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
40bcbbb1d3de7287cb700a5baf6800d2ece24efd
gitea-pages/engineering-guide/accounts-and-groups.md

156 lines
6.2 KiB
Markdown
Raw Blame History

# Accounts and Groups
Linux accounts are generally stored and managed in Active Directory.
## Account Types
There are several types of accounts, which are usually indicated by a
prefix or suffix:
- Normal accounts. No prefix or suffix. Older accounts are just last
names, newer accounts are LASTNAME_X, where X is the first letter of
the given name.
- Global accounts (or gac-accounts). These have a `gac-` prefix. These are shared accounts where several people know the password. Note that some global accounts were originially experiment accounts and share the properties of experiment accounts
- Administrator accounts. Marked with an `-adm` suffix.
- External users. These start with an `ext-` prefix and are provided
to external users, ie. those who are not PSI employees.
- Experiment accounts (or e-accounts). These start with `e` followed by the uid (+ some global accounts which where renamed later).
These are managed by the [Digital User Office (DUO)](https://duo.psi.ch).
The password is shared by all users involved in the experiment.
- Service accounts. These come with an `svcusr-` prefix and are used for running services.
Official documentation on PSI IT account naming convention can be found [here](https://psi.service-now.com/psisp?sys_kb_id=c498a3cb1bff68502c5940498b4bcb44&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=4877d78687cc1d10bc150d830cbb3540)
To be able to easily distinguish between the different account types, a user shall be assigned to
| Unix Group | Accont Type |
|--------------------|-------------|
| `unx-lx_users` | normal user and administrator acccounts |
| `unx-lx_gac_users` | global accounts |
| `unx-lx_ext_users` | external accounts |
| `unx-lx_e_users` | experiment accounts |
## UID Allocation
| UID | GID | |
|-------------------------|-------------------------|-------------------------------|
| 0 - 1000 | 100 - 1000 | local users / groups manually |
| 1000 - 9999 | 110 - 9999 | old AD accounts manually |
| 10000 - 29999 | 10000 - 29999 | e-accounts / p-groups Experiment prov. tool |
| 30000 - 65534 | 30000 - 65534 | new AD users / groups /external AD accounts OM |
| 70000 - 120000 | 70000 - 120000 | e-accounts / p-groups Experiment prov. tool |
| 123458 - 150000 | -10000 - -4294967296 | local AFS users / groups AFS |
| 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM |
| 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux |
## AD Attribute Mapping
For the [sssd-ldap(5)](https://man.archlinux.org/man/sssd-ldap.5.en) provider following mapping is used
| passwd attribute | AD attribute |
|-----------|------------------------|
| username | `msSFU30Name` |
| UID | `msSFU30UidNumber` |
| GID | `msSFU30GidNumber` |
| home | `msSFU30HomeDirectory` |
| shell | `msSFU30LoginShell` |
We are on the process to move to the [sssd-ad(5)](https://man.archlinux.org/man/sssd-ad.5.en) provider. There we need following attributes:
| passwd attribute | AD attribute |
|-----------|---------------------|
| username | `sAMAccountName` |
| UID | `uidNumber` |
| GID | `gidNumber` |
| home | `unixHomeDirectory` |
| gecos | `gecos` |
Note that the `loginShell` attribute for the shell shall not be set as we only want to support Bash as login shell in the future.
Finally the [gecos field](https://en.wikipedia.org/wiki/Gecos_field) shall be generated from other already existing AD attributes:
```
<displayName>,<physicalDeliveryOfficeName>,<telephoneNumber>,,<mail>
```
example:
```
Konrad Bucheli,OBBA/230,+41563102724,,konrad.bucheli@psi.ch
```
Note the field 4 (home/mobile number) we do not set, thus we have an empty field with two commas in a row.
## Primary Groups
By default the primary user group is `unx-nogroup` (710). The exception are experiment accounts, where the primary group is the corresponding g-group.
If there are good reasons (example?) another primary group might be set.
Except for the default `unx-nogroup`, a user shall always also be explicit member of his primary group (e.g. member of the g-group for experiment accounts).
At PSI the user-private group scheme (UPG), the default on Red Hat
distributions, is **not** used.
## Low GIDs
A number of groups have very low GIDs (\<500), in particular:
unx-fkt:*:101:
unx-lke:*:110:
unx-abe:*:120:stingelin
unx-aea:*:130:
unx-lmu:*:140:
unx-lem:*:141:
unx-muesr:*:150:
unx-asm:*:210:
unx-lrp:*:220:
unx-zrp:*:221:
unx-ash:*:230:
unx-ppt:*:280:
unx-pmr:*:290:
unx-cmt:*:301:
unx-lfk:*:310:
unx-lch:*:320:
unx-lns:*:330:
unx-lap:*:340:
unx-lmn:*:350:
unx-asq:*:360:
unx-crpp:*:370:
unx-psq:*:380:
unx-psz:*:390:
unx-gabe:*:402:
unx-lrs:*:410:
unx-lth:*:420:
unx-lwv:*:430:
unx-les:*:440:
unx-dtp:*:451:
unx-lsu:*:490:
## Special Accounts
### `linux_ldap`: query LDAP
The [linux_ldap]{.title-ref} account has read-only permissions on a
limited subset of the LDAP attributes. It is used by
[nslcd]{.title-ref}, for example, to query LDAP for users\' uid, gid,
etc.
The password should not be shared unnecessarily, but it does not need to
be specifically protected either. In fact, in earlier releases of
Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref},
which contains the password, world-readable.
This account **must not** be given additional access or privileges.
### `linuxadjoin.psi.ch@D.PSI.CH`
This account is a pure AD account (ie it doesn\'t have Unix attributes
like uid), which is used to manage computer objects in AD automatically.
In particular, it is used to precreate computer objects to allow
password-less AD joins.
The account is only used on the Puppet server and has no (known)
password. Instead a keytab is used to get a valid Kerberos ticket.
View Git Blame Copy Permalink