User Account Setup
A good place to put in notes about anything related to accounts in the CSCF context, whether they be user,
system, groups, etc. Technical notes. It can also include proposed newer setups such
as using Active Directory.
| Definition: In a more general context the term account would tend imply the reckoning of a monetary balance, often with a history of credits and debits. In relation to computers, however, account is often used to refer to the login userid which works for some particular computer system whether or not any money is involved. To make things complicated, some software involved with login userid maintenance actually does allow for the use of related monetary accounts.
Account Management Methods
- WatIAM Accounts - are required by, but not part of, other accounts maintenance.
Sponsors Data Accounts
Information about most accounts
on the UNIX computer
in the hierarchical text file
data base under the directory
Computer programs are used to update remote machines to reflect the
The software itself really only imposes a distinction between two
different types of accounts maintenance.
- Registrar Sponsored Accounts - driven primarily by data automatically received from the Registrar's Office (graduate and undergraduate are not fundamentally different)
- Other Accounts - no automatic information is used to drive the creation of these accounts; updates must be manual
Any other distinctions arise because of how the users of the software
decided to organize their data. Here
is an attempted explanation of the organization.
Maintaining Specific Types of Accounts
Procedures are determined by a combination of the operating requirements
of the sponsors data base software
agreed-upon conventions in the organization of the files
it uses. Note that in some cases the conventions will have been agreed-upon
by only a single person.
Also sometimes constraints of other software helped determine the necessary
procedures and conventions.
An Assertion of Generality (by AdrianPepper)
Here's another approach to presenting the same information
System-wide accounts, generally automated (maintained by AdrianPepper)
Administrative accounts (maintained by Wendy)
Research accounts (maintained by the Research Support Group)
- Research Sponsored Accounts - accounts researchers sponsor (including Grad students, visitors, PostDocs, print quota, disk space quota) in CS core, Active Directory or their own research regions
- LocalLinuxAccounts - creating a local account on a Linux-based research machine, not authenticating against the CS AD or using Xhiered accounts
- CreatingGroupAccounts - creating a new group (eg: users_group)
Creating Truly New Users (Userids)
This has been glossed over.
In many cases user names and identification numbers already exist,
precreated in WatIAM
. In other limited cases,
the correct thing to do is create a userid which really should,
for various reasons, not be put in WatIAM
And occasionally you need to do things to cause the
account creation. Perhaps see these
The magic Userids file
But, in any case, before you can use the sponsors data
create new accounts for a userid, that userid
must be defined in the file
(on the UNIX computer
Often, but not always, that happens automatically.
That's why it's magic.
command will give no results
for the userid if it is not present in this file. That is, if
gives output, you can proceed. If not, more work is needed
to get the userid into the file.
If you think you need to modify or create records in this file, see these
or specifically these
The old account configuration using the xhier packages setpw
How do restricted shells get put into a passwd file
Specifically how does a user's shell become equal to
The answer is provided by the
man page. The
setup in the CS environment
is described by
The users listed, one per line, in the file
on a regional client
for which the passwd file is built
are the the users who will get a standard
shell rather than
. Now, the reader should
have noted the special emphasis on the word built
. Specifically this means
the setpw client hostname appears on a single line within a file on the setpw
regional master (in the student xheir region this is
and in the core
) in the directory
whose name has the form
is usually chosen to be informative.
The management of the non-restricted-users file
The graphics lab in MC6055 and the Nortel Lab (room number escapes me?) are two
labs in which access is restricted to specific users. Since both of these labs
have uniform architectures it is not necessary to build the passwd on each
of the host but only one of them and then use the
mode of passwd distribution,
that is, copying the files over. As the build process can take valuable cpu power
the build hosts are not machines in the lab.
the non-restricted-users file are generated whenever
command is executed albeit the exact path to this
end goal is quite twisty.
Windows account information is stored in their version of LDAP, called
ADS or active directory server, see CSCFActiveDirectory
for some notes
on how this is done in CSCF.
Using ADS to authenticate Unix hosts
There is a project to have the student region authenticate using Windows Active Directory managed directory services.
Basic to this process is Kerberos version 5, see ADAddUbuntu
for some notes
on how to get Ubuntu Linux to authenticate the ADS in the CS-GENERAL domain which would equally
apply to other domains.