TWiki
>
CF Web
>
Accounts
>
AccountsClientDissection
(2014-12-18,
AdrianPepper
)
(raw view)
E
dit
A
ttach
%TOC% ---++ The old account configuration using the xhier packages setpw This page is really just history... ---+++ How do restricted shells get put into a passwd file Specifically how does a user's shell become equal to =/software/setpw/servers/restricted=. The answer is provided by the =[[%CFMANURL%?page=setpw-config&package=setpw][setpw-config]]= man page. The *setup in the CS environment* is described by =[[%CFMANURL%?page=setpw-config-old&package=setpw][setpw-config-old]]= man page. The users listed, one per line, in the file =/software/setpw/data/config/non-restricted-users= on a regional client for which the passwd file is *built* are the the users who will get a standard shell rather than =/software/setpw/servers/restricted=. Now, the reader should have noted the special emphasis on the word _built_. Specifically this means the setpw client hostname appears on a single line within a file on the setpw regional master (in the student xheir region this is =cs-teaching.cs.private= and in the core region, =cs-general.cs.private=) in the directory =/software/setpw/data/config/hosts/= whose name has the form =hosts.some-name.rebuild.restrict= where =some-name= is usually chosen to be informative. (However, password files are no longer built and distributed in this fashion). ---+++ The management of the non-restricted-users file The graphics lab in MC6055 and the Nortel Lab (room number escapes me?) are two labs in which access is restricted to specific users. Since both of these labs have uniform architectures it is not necessary to build the passwd on each of the host but only one of them and then use the =rdist= mode of passwd distribution, that is, copying the files over. As the build process can take valuable cpu power the build hosts are not machines in the lab. On *student.cs* the non-restricted-users file are generated whenever =accounts_client= command is executed albeit the exact path to this end goal is quite twisty. ---+ Dissection of sample accounts-client output A sample run on cscf.cs: <verbatim> accounts-client student.cs make_remote_accounts: Start processing Wed Dec 13 11:06:39 EST 2006 ... ###################### Doing sponsored machines. Wed Dec 13 11:06:39 EST 2006 ================= Wed Dec 13 11:06:41 2006 (2 seconds) student.cs ==== starting pid=15641 sponsor_aliases +f on student.cs ==== Wed Dec 13 11:06:42 EST 2006 ==== doing alias_update ==== Wed Dec 13 11:06:42 EST 2006 ==== finished sponsor_aliases on student.cs ==== Wed Dec 13 11:06:43 EST 2006 ================= Wed Dec 13 11:06:43 2006 (2045 seconds) student.cs ==== starting pid=15662 sponsor_accounts +f -Groupcheck admin=cscf on student.cs ==== Wed Dec 13 11:06:44 EST 2006 ==== checking id registry status ==== Wed Dec 13 11:06:44 EST 2006 ==== doing account_update -Groupcheck ==== Wed Dec 13 11:06:44 EST 2006 sponsor_accounts: Update unchanged from last time sponsor_accounts: Doing update anyway (because of +Force) sponsor_accounts: distributing the passwd file to setpw clients ==== Wed Dec 13 11:06:47 EST 2006 sponsor_accounts: creating missing home directories ==== Wed Dec 13 11:16:36 EST 2006 sponsor_accounts: updating disk quota ==== Wed Dec 13 11:24:07 EST 2006 /software/accounts/maintenance/mkquota not found. Type '?' for a list of commands sponsor_accounts: creating course directories ==== Wed Dec 13 11:27:36 EST 2006 sponsor_accounts: updating personal groups ==== Wed Dec 13 11:34:18 EST 2006 sponsor_accounts: running regional host-specific step ==== Wed Dec 13 11:34:18 EST 2006 ========== setting restricted login users === Wed Dec 13 11:34:20 EST 2006 ========== running update-mail-redirection === Wed Dec 13 11:34:33 EST 2006 update-mail-redirection FYI: updating the list of userids. update-mail-redirection FYI: no changes, so not updating system mail aliases. ========== removing old truncated home-directories === Wed Dec 13 11:38:04 EST 2006 ========== building truncated home-directories === Wed Dec 13 11:40:23 EST 2006 ========== running mkfinal-windows-home === Wed Dec 13 11:40:44 EST 2006 ========== creating //windows2000 directories === Wed Dec 13 11:40:45 EST 2006 ========== mkfinal done === Wed Dec 13 11:40:48 EST 2006 ==== finished sponsor_accounts on student.cs ==== Wed Dec 13 11:40:48 EST 2006 ###################### Done. Wed Dec 13 11:40:48 EST 2006 </verbatim> The =accounts-client= command is a C-program that calls =/software/accounts-master/servers/make_remote_accounts= which, in turn, runs the script =student.cs:/.software/regional/accounts/config/regional/mkfinal= on =student.cs (and is RCSed on student.cs) and it runs =/.software/local/accounts/data/host/do_restrictions= (also RCSed on student.cs) which is responsible for generating the non-restricted-users files for various classes and using rdist it copies it over to the client machines listed in =build.restricted= setpw configuration file. It is possible to restrict logins for one or more classes to a set of restricted hosts, where by _restricted_ we mean in the sense described in the setpw configuration files located in =/software/setpw/data/config/hosts/=. As an example consider the file =/software/setpw/data/config/hosts/hosts.graphics.rebuild.restrict=. The command =mkfinal= uses the configuration file =student.cs:/.software/local/accounts/data/host/config/restrictions (RCSed on =student.cs=). Specifically, we have (as of Tue Jun 12, 2007): <verbatim> # Classes that are allowed to login to restricted machines # Any changes take effect with the next "accounts-client student.cs". # This configuration file is used on student.cs by the program: # /software/accounts/data/host/mkfinal # The first word on the line has to match the "*" in: # /software/setpw/data/config/hosts/hosts.*.rebuild.restrict commando cs445 cs446 cs447 cs645 cs646 cs647 ece451 ece452 ece453 se463 se464 se465 mc3007 cs445 cs446 cs447 cs483 cs645 cs646 cs647 cs683 ece451 ece452 ece453 se463 se464 se465 graphics cs488 cs679 cs688 cs689 cs446 cs446a cs646 cs779 cs788 cs788f cs788h cs798 </verbatim> The class file =student.cs:/.software/local/accounts/data/host/classfile= is the file that is processed to determine which users go into what non-restricted-users files. The format of the class file is <verbatim> wtautz:sponsor-cscf:CSCF601: </verbatim> where the latter entries, separated by =:= list classes the user in in. In the case of CSCF staff some special provisions are made to allow for them to be in the graphics list even though most of us aren't enrolled in the course :-) -- Main.WalterTautz - some time well before 12 Mar 2010
E
dit
|
A
ttach
|
Watch
|
P
rint version
|
H
istory
: r3
<
r2
<
r1
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r3 - 2014-12-18
-
AdrianPepper
CF
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
CF Web
CF Web Home
Changes
Index
Search
Administration
Communication
Email
Hardware
HelpDeskGuide
Infrastructure
InternalProjects
Linux
MachineNotes
Macintosh
Management
Networking
Printing
Research
Security
Software
Solaris
StaffStuff
TaskGroups
TermGoals
Teaching
UserSupport
Vendors
Windows
XHier
Other Webs
CSEveryBody
Main
Sandbox
TWiki
UW
My links
People
CERAS
WatForm
Tetherless lab
Ubuntu Main.HowTo
eDocs
RGG NE notes
RGG
CS infrastructure
Grad images
Edit
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback