Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity
Files
cdcc025dbd4c2f4288505ffec4e2bfcffe7cc9af
gitea-pages/engineering-guide/accounts-and-groups.md
T

169 lines
7.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Accounts and Groups
Linux accounts are generally stored and managed in Active Directory.
## Account Types
There are several types of accounts, which are usually indicated by a
prefix or suffix:
- Normal accounts. No prefix or suffix. Older accounts are just last
names, newer accounts are LASTNAME_X, where X is the first letter of
the given name.
- Global accounts (or gac-accounts). These have a `gac-` prefix. These are shared accounts where several people know the password. Note that some global accounts were originially experiment accounts and share the properties of experiment accounts
- Administrator accounts. Marked with an `-adm` suffix.
- External users. These start with an `ext-` prefix and are provided
to external users, ie. those who are not PSI employees.
- Experiment accounts (or e-accounts). These start with `e` followed by the uid (+ some global accounts which where renamed later).
These are managed by the [Digital User Office (DUO)](https://duo.psi.ch).
The password is shared by all users involved in the experiment.
- Service accounts. These come with an `svcusr-` prefix and are used for running services.
Official documentation on PSI IT account naming convention can be found [here](https://psi.service-now.com/psisp?sys_kb_id=c498a3cb1bff68502c5940498b4bcb44&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=4877d78687cc1d10bc150d830cbb3540)
To be able to easily distinguish between the different account types, a user shall be assigned to
| Unix Group | Accont Type | Test User |
|--------------------|-------------|-----------|
| `unx-lx_users` | normal user | `lx_test` |
| `unx-lx_adm_users` | administrator acccounts for normal users | `lx_test-adm` |
| `unx-lx_gac_users` | global accounts | `gac-lx_test` |
| `unx-lx_ext_users` | external accounts | `ext-lx_test` |
| `unx-lx_ext_adm` | external adm accounts (group should actually be named `unx-lx_ext_adm_users` but because of character limitations we abbreviated)| `ext-lx_test-adm`|
| `unx-lx_e_users` | experiment accounts | `e22284` |
| `unx-lx_svc_users` | service accounts accounts | `svcusr-lx_test`|
The passwords for all these users are found in the [Shared Core Linux Secret Store](https://git.psi.ch/linux-infra/core-linux-secrets), except for `e22284` which is found in the [PSI e-account Password Manager](https://epwd.psi.ch/cred/detail/18556/).
```{note}
unx-lx_ext_users - this group does not yet contain all ext accounts (only the ones that are currently in the scope of IAM - this should be fixed by end of January 2025
```
### Policies
GAC accounts __must not__ be used for administrative tasks (also see: AW-95-17-02 Logical Access Control). Therefore membership in groups granting such privilidges is not permitted.
## UID Allocation
| UID | GID | |
|-------------------------|-------------------------|-------------------------------|
| 0 - 1000 | 100 - 1000 | local users / groups manually |
| 1000 - 9999 | 110 - 9999 | old AD accounts manually |
| 10000 - 29999 | 10000 - 29999 | e-accounts / p-groups Experiment prov. tool |
| 30000 - 61183 | 30000 - 61183 | new AD users / groups /external AD accounts OM |
| 6118465519 | 6118465519 | [systemd Dynamic Users](https://0pointer.net/blog/dynamic-users-with-systemd.html) |
| 70000 - 120000 | 70000 - 120000 | e-accounts / p-groups Experiment prov. tool |
| 123458 - 150000 | -10000 - -4294967296 | local AFS users / groups AFS |
| 200000 - 400000 | 200000 - 400000 | new AD users / groups /external AD accounts IAM |
| 2000000000 - 4294967296 | 2000000000 - 4294967296 | sub UID / GID for containers local Linux systems / local Windows subsystems for Linux |
## AD Attribute Mapping
For the [sssd-ldap(5)](https://man.archlinux.org/man/sssd-ldap.5.en) provider following mapping is used
| passwd attribute | AD attribute |
|-----------|------------------------|
| username | `msSFU30Name` |
| UID | `msSFU30UidNumber` |
| GID | `msSFU30GidNumber` |
| home | `msSFU30HomeDirectory` |
| shell | `msSFU30LoginShell` |
We are on the process to move to the [sssd-ad(5)](https://man.archlinux.org/man/sssd-ad.5.en) provider. There we need following attributes:
| passwd attribute | AD attribute |
|-----------|---------------------|
| username | `sAMAccountName` |
| UID | `uidNumber` |
| GID | `gidNumber` |
| home | `unixHomeDirectory` |
| gecos | `gecos` |
Note that the `loginShell` attribute for the shell shall not be set as we only want to support Bash as login shell in the future.
Finally the [gecos field](https://en.wikipedia.org/wiki/Gecos_field) shall be generated from other already existing AD attributes:
```
<displayName>,<physicalDeliveryOfficeName>,<telephoneNumber>,,<mail>
```
example:
```
Konrad Bucheli,OBBA/230,+41563102724,,konrad.bucheli@psi.ch
```
Note the field 4 (home/mobile number) we do not set, thus we have an empty field with two commas in a row.
## Primary Groups
By default the primary user group is `unx-nogroup` (710). The exception are experiment accounts, where the primary group is the corresponding g-group.
If there are good reasons (example?) another primary group might be set.
Except for the default `unx-nogroup`, a user shall always also be explicit member of his primary group (e.g. member of the g-group for experiment accounts).
At PSI the user-private group scheme (UPG), the default on Red Hat
distributions, is **not** used.
## Low GIDs
A number of groups have very low GIDs (\<500), in particular:
unx-fkt:*:101:
unx-lke:*:110:
unx-abe:*:120:stingelin
unx-aea:*:130:
unx-lmu:*:140:
unx-lem:*:141:
unx-muesr:*:150:
unx-asm:*:210:
unx-lrp:*:220:
unx-zrp:*:221:
unx-ash:*:230:
unx-ppt:*:280:
unx-pmr:*:290:
unx-cmt:*:301:
unx-lfk:*:310:
unx-lch:*:320:
unx-lns:*:330:
unx-lap:*:340:
unx-lmn:*:350:
unx-asq:*:360:
unx-crpp:*:370:
unx-psq:*:380:
unx-psz:*:390:
unx-gabe:*:402:
unx-lrs:*:410:
unx-lth:*:420:
unx-lwv:*:430:
unx-les:*:440:
unx-dtp:*:451:
unx-lsu:*:490:
## Special Accounts
### `linux_ldap`: query LDAP
The [linux_ldap]{.title-ref} account has read-only permissions on a
limited subset of the LDAP attributes. It is used by
[nslcd]{.title-ref}, for example, to query LDAP for users\' uid, gid,
etc.
The password should not be shared unnecessarily, but it does not need to
be specifically protected either. In fact, in earlier releases of
Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref},
which contains the password, world-readable.
This account **must not** be given additional access or privileges.
### `linuxadjoin.psi.ch@D.PSI.CH`
This account is a pure AD account (ie it doesn\'t have Unix attributes
like uid), which is used to manage computer objects in AD automatically.
In particular, it is used to precreate computer objects to allow
password-less AD joins.
The account is only used on the Puppet server and has no (known)
password. Instead a keytab is used to get a valid Kerberos ticket.
View Git Blame Copy Permalink