diff --git a/_toc.yml b/_toc.yml index 4f5d27b7..e0691cc9 100644 --- a/_toc.yml +++ b/_toc.yml @@ -69,6 +69,7 @@ chapters: - file: admin-guide/configuration/xrdp - file: admin-guide/configuration/puppet_agent - file: admin-guide/configuration/sudo + - file: admin-guide/configuration/eaccounts - file: admin-guide/configuration/ntp_client - file: admin-guide/configuration/keyboard_layout - file: admin-guide/configuration/autologin diff --git a/admin-guide/configuration/eaccounts.md b/admin-guide/configuration/eaccounts.md new file mode 100644 index 00000000..15f5ddbd --- /dev/null +++ b/admin-guide/configuration/eaccounts.md @@ -0,0 +1,81 @@ +# Eaccounts (Experiment Account) + +The eaccounts are managed via the Digital User Office (DUO) and used for single experiments at the beamlines. + +Eaccounts reside in the AD in the subtree `OU=users,OU=experiment,OU=it,DC=d,DC=psi,DC=ch` whereas normal accounts are found below `OU=Users,OU=PSI,DC=d,DC=psi,DC=ch` + +Normally eaccounts start with `e` followed by their uid. Some eaccounts where used not only for single experiments, more like GAC accounts, and have thus been renamed: +``` +gac-alvra +gac-cristall +gac-bernina +gac-femto +gac-furka +gac-maloja +gac-slab +gac-x01dc +gac-x02da +gac-x03da +gac-x03ma +gac-x04db +gac-x04sa +gac-x05da +gac-x05la +gac-x06da +gac-x06sa +gac-x07da +gac-x07db +gac-x07ma +gac-x07mb +gac-x09la +gac-x09lb +gac-x10da +gac-x10sa +gac-x11ma +gac-x12sa +gac-x12saop +gac-x96sa +``` + +## Allow Eaccounts + +``` +aaa::enable_eaccounts: true +``` + +in Hiera enables eaccounts on a system, default is `false`. + +## Eaccounts and `override_homedir` + +By default the `override_homedir` setting (in Hiera `aaa::override_homedir` ore `base::local_homes`) is ignored for eaccounts. +The way this has been solved causes problems with group member lookups with eaccounts enabled. + +Without eaccounts only normal users are found as part of the group (which is correct): +``` +[root@lxdev04 ~]# getent group p21996 +p21996:*:21996:dorigo_a,cirelli_c +[root@lxdev04 ~]# +``` + +but with eaccounts enabled only the eaccount members are listed: +``` +[root@lxdev01 ~]# getent group p21996 +p21996:*:21996:e21996 +[root@lxdev01 ~]# +``` + +If for a system this is a problem, and at the same time there is no need for ignoring `override_homedir`, you may enable the eaccounts with + +``` +aaa::enable_eaccounts: true +aaa::enable_eaccounts::ignore_override_homedir: false +``` + + + + + + + +There is a [open case](https://access.redhat.com/support/cases/#/case/03912615) at RedHat on how to deal best with this problem. +