zimoch/Controls-docs
0
0
Fork 0
forked from Controls/gitea-pages
Code Pull Requests Actions Activity
Files
06ed1ee252f19cae2dffca20b7ce2d7e71d1153a
Controls-docs/admin-guide/architecture/accounts-and-groups.md
T

124 lines
3.9 KiB
Markdown
Raw Blame History

# Accounts
Linux accounts are generally stored and managed in Active Directory.
```{note}
Current user (uid) and group (gid) ranges can be found here: [UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf)
```
## Account Types
There are several types of accounts, which are usually indicated by a
prefix or suffix:
- Normal accounts. No prefix or suffix. Older accounts are just last
names, newer accounts are LASTNAME_X, where X is the first letter of
the given name.
- Global accounts. These have a `gac-` prefix. There are only a
handful of these on Linux so far, due to concerns about the lack of
login restrictions.
- Administrator accounts. Marked with an `-adm` suffix.
- External users. These start with an `ext-` prefix and are provided
to external users, ie. those who are not PSI employees.
- Service accounts. These come with an `svcusr-` prefix and are used
for running services.
Official documentation on PSI IT account naming convention can be found [here](https://psi.service-now.com/psisp?sys_kb_id=c498a3cb1bff68502c5940498b4bcb44&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=4877d78687cc1d10bc150d830cbb3540)
## UID Allocation
| | |
|----------------|---------------|
| Old accounts | 1000-6000 |
| GFA accounts | 10000-30000 |
| External users | 30000-35000 |
| New accounts | 35000+ |
## LDAP Attribute Mapping
| Attribute | LDAP Attribute |
|-----------|------------------------|
| username | `msSFU30Name` |
| UID | `msSFU30UidNumber` |
| GID | `msSFU30GidNumber` |
| home | `msSFU30HomeDirectory` |
| shell | `msSFU30LoginShell` |
## Primary Groups
At PSI the user-private group scheme (UPG), the default on Red Hat
distributions, is **not** used. Instead, every user\'s primary group is
usually one specific to the group/department the user is working for,
eg. `unx-ait`.
Users for whom there is no natural choice of primary group are assigned
`unx-nogroup`.
## Low GIDs
A number of groups have very low GIDs (\<500), in particular:
unx-fkt:*:101:
unx-lke:*:110:
unx-abe:*:120:stingelin
unx-aea:*:130:
unx-lmu:*:140:
unx-lem:*:141:
unx-muesr:*:150:
unx-asm:*:210:
unx-lrp:*:220:
unx-zrp:*:221:
unx-ash:*:230:
unx-ppt:*:280:
unx-pmr:*:290:
unx-cmt:*:301:
unx-lfk:*:310:
unx-lch:*:320:
unx-lns:*:330:
unx-lap:*:340:
unx-lmn:*:350:
unx-asq:*:360:
unx-crpp:*:370:
unx-psq:*:380:
unx-psz:*:390:
unx-gabe:*:402:
unx-lrs:*:410:
unx-lth:*:420:
unx-lwv:*:430:
unx-les:*:440:
unx-dtp:*:451:
unx-lsu:*:490:
## Shells
We support bash, and we also try to keep tcsh working.
Currently bash, tcsh, and sh are used. The form for ordering accounts
also offers `/bin/ksh` and `/bin/zsh`. The most popular by far is bash.
## Special Accounts
### `linux_ldap`: query LDAP
The [linux_ldap]{.title-ref} account has read-only permissions on a
limited subset of the LDAP attributes. It is used by
[nslcd]{.title-ref}, for example, to query LDAP for users\' uid, gid,
etc.
The password should not be shared unnecessarily, but it does not need to
be specifically protected either. In fact, in earlier releases of
Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref},
which contains the password, world-readable.
This account **must not** be given additional access or privileges.
### `linuxadjoin.psi.ch@D.PSI.CH`
This account is a pure AD account (ie it doesn\'t have Unix attributes
like uid), which is used to manage computer objects in AD automatically.
In particular, it is used to precreate computer objects to allow
password-less AD joins.
The account is only used on the Puppet server and has no (known)
password. Instead a keytab is used to get a valid Kerberos ticket.
View Git Blame Copy Permalink