User Account Setup

Introduction

A good place to put in notes about anything related to accounts in the CSCF context, whether they be user, system, groups, etc. Technical notes. It can also include proposed newer setups such as using Active Directory.

Definition: In a more general context the term account would tend imply the reckoning of a monetary balance, often with a history of credits and debits. In relation to computers, however, account is often used to refer to the login userid which works for some particular computer system whether or not any money is involved. To make things complicated, some software involved with login userid maintenance actually does allow for the use of related monetary accounts.

Account Management Methods

WatIAM Accounts

• WatIAM Accounts - are required by, but not part of, other accounts maintenance.

Sponsors Data Accounts

Information about most accounts is maintained on the UNIX computer cs-xh-admin.cs.private.uwaterloo.ca in the hierarchical text file data base under the directory /software/accounts-master/data/sponsors. Computer programs are used to update remote machines to reflect the information there. The software itself really only imposes a distinction between two different types of accounts maintenance.

• Registrar Sponsored Accounts - driven primarily by data automatically received from the Registrar's Office (graduate and undergraduate are not fundamentally different)
• Other Accounts - no automatic information is used to drive the creation of these accounts; updates must be manual

Any other distinctions arise because of how the users of the software decided to organize their data. Here is an attempted explanation of the organization.

Any account can be associated with multiple groups, primarily for purposes of access control. It's not obvious we've documented details about group creation and maintenance.

Maintaining Specific Types of Accounts

Procedures are determined by a combination of the operating requirements of the sponsors data base software and previously agreed-upon conventions in the organization of the files it uses. Note that in some cases the conventions will have been agreed-upon by only a single person. Also sometimes constraints of other software helped determine the necessary procedures and conventions.

An Assertion of Generality (by AdrianPepper)

• The page Sponsors Data Accounts Maintenance in general should be relevant for anyone maintaining accounts via the sponsors data . In fact, that page is entitled TemplateSponsorDataAccounts because most of the procedure is largely independent of details of the user for whom an account is being created or modified. That is, if you can (and AdrianPepper did) take the page itself and modify details to make (overly?) detailed descriptions for specific cases. If we're going to get possessive, that page is maintained by AdrianPepper .

Here's another approach to presenting the same information TemplateSponsorDataAccountsCollapsed.

System-wide accounts, generally automated (maintained by AdrianPepper)

• Undergrad Accounts - maintained automatically, with occasional tweaks needed
• Grad Student Accounts - maintained automatically, with occasional tweaks needed

Administrative accounts (maintained by everyone now Wendy is gone)

• Administrative Accounts - created and maintained for School administration purposes
• Temporary Visitor Accounts - Temporary accounts, generally for short-term visitors

Research accounts (maintained by the Research Support Group)

• Research Sponsored Accounts - accounts researchers sponsor (including Grad students, visitors, PostDocs, print quota, disk space quota) in CS core, Active Directory or their own research regions
  • ResearchSponsoredAccountsNew - how to start things for a new researcher (faculty member)
  • Research Region Accounts - on machines owned by research groups
  • Ex-Grad-Student Accounts - transferring sponsorship from Registrar to a researcher
• LocalLinuxAccounts - creating a local account on a Linux-based research machine, not authenticating against the CS AD or using Xhiered accounts
• CreatingGroupAccounts - creating a new group (eg: users_group)

Creating Truly New Users (Userids)

This has been glossed over. In many cases user names and identification numbers already exist, precreated in WatIAM. In other limited cases, the correct thing to do is create a userid which really should, for various reasons, not be put in WatIAM. And occasionally you need to do things to cause the WatIAM account creation. Perhaps see these notes.

The magic Userids file

But, in any case, before you can use the sponsors data software to create new accounts for a userid, that userid must be defined in the file /software/accounts-userids/data/Userids (on the UNIX computer cs-xh-admin.cs.private.uwaterloo.ca). Often, but not always, that happens automatically. That's why it's magic.

The userinfo command will give no results for the userid if it is not present in this file. That is, if userinfo gives output, you can proceed. If not, more work is needed to get the userid into the file.

If you think you need to modify or create records in this file, see these notes or specifically these.

The old account configuration using the xhier packages setpw

accounts-client dissection

• AccountsClientDissection

Active Directory

Windows account information is stored in their version of LDAP, called ADS or active directory server, see CSCFActiveDirectory for some notes on how this is done in CSCF.

Using ADS to authenticate Unix hosts

There is a project to have the student region authenticate using Windows Active Directory managed directory services. Basic to this process is Kerberos version 5, see ADAddUbuntu for some notes on how to get Ubuntu Linux to authenticate the ADS in the CS-GENERAL domain which would equally apply to other domains. :