Administrative Accounts

IncludeSponsorsDataPreamble

These notes relate to adding users to groups and servers using the Xhiered Accounts packages. This controls access to "xhiered" machines as well as those using the CS Active Directory for accounts management.

IncludeSponsorsDataRequiredAuthorization

Required authorization

  • Users who need to update accounts need to be in group "sponsor" and group "accounts" on cscf.cs.
  • Users who need to manipulate accounts, for example set passwords, in the core region to be in the "accounts" group on core.cs. Similarly for any other region.

IncludeSponsorsDataCreatingUserids

Creating Truly New Users (Userids)

Before you can use the sponsors data software to create new accounts for a userid, that userid must be present on cscf.cs.uwaterloo.ca in the file /software/accounts-userids/data/Userids on the machine cscf.cs.uwaterloo.ca. Often, but not always, that happens automatically.

If the userinfo command gives results for the userid, then the userid is appropriately present in this file, and you can proceed. (And use the Id Number: indicated by the output as the id number to associate with the userid). If userinfo gives no output for the particular user, more work is needed to get the userid into the file.

The Id Number: will be a student id, employee id, HR id, employee id, or WatIAM "P-number", in that order. In fact, you will see other obscure values listed too. But only the one shown can be used. Users with a lengthy history at UW sometimes have several other values shown as the Other Ids: value; you cannot use any of those values.

In most cases user names and identification numbers already exist, precreated in WatIAM. In other limited cases, the correct thing to do is create a userid which really should, for various reasons, not be put in WatIAM. And occasionally you need to do things to cause the WatIAM account creation.

WatIAM account creation (precreation) is discussed at this link which requires appropriate authentication.

After the WatIAM account has been created, you normally need to wait until the next business day for the new userid to be available for sponsors data. Various technical personnel, including Adrian Pepper, can accelerate that process, however.

If you need to do that yourself, perhaps see Discussion of the Userids File for Experts.

And bear in mind Information about Userids in the Sponsors Data.

IncludeSponsorsDataCreatingUserids

Creating Truly New Groups (gids)

If you are creating a new group to appear in the Active Directory (eg: users_researchgroup), you will need to follow the instructions in CreatingGroupAccounts

IncludeSponsorsDataLocation

Location of Accounts Sponsor files

The accounts files for CS are on the UNIX computer cscf.cs.uwaterloo.ca

cd /software/accounts-master/data/sponsors

Beneath /software/accounts-master/data/sponsors/
in sub-directories

  • CLASSES
  • CSCF
  • School

are files for describing various different types of non-research resources.

SponsorsDataDirectoryAdminOrganization

The following table indicates how some of the data, on the UNIX computer cscf.cs.uwaterloo.ca, under the directory

/software/accounts-master/data/sponsors
is organized. Here we present information about directories other than those specifically related to course-specific resources, and explicit researcher sponsorship. That should be "administration", but isn't quite.

IncludeSponsorsDataDirectoryTableStart

Directory/File NamePurpose
CLASSES/
IncludeSponsorsDataDirectoryCLASSES
CLASSES/ files under ClASSES allocate resources for instructors and instructional support staff
CLASSES/CA-cs accounts named after CS courses, e.g. cs100
CLASSES/CA-se accounts named after Software Engineering courses, e.g. se240
CLASSES/TA-cs CS TAs - Tutorial Assistants, not to be confused with Tutors
CLASSES/TA-se SE TAs
CLASSES/Tutors CS Tutors - usually co-op students
CLASSES/automatic/ directory for some conceptually automatically generated files; currently the result of processing Grad Office TA database to produce sponsorship info for TAs
CLASSES/course.work logical supplement to REGISTRAR/cs
CLASSES/instructors resources for (generally non-faculty) instructors
CSCF/
IncludeSponsorsDataDirectoryCSCF
CSCF/ files under CSCF facilitate the computing facility
CSCF/admin administrative assistant staff, and many mailing lists
CSCF/consulting this is the MC3017 consultants
CSCF/taskgroups mailing aliases for task-groups
CSCF/technicians CSCF technical staff
School/
IncludeSponsorsDataDirectorySchool
School/ files under School are for non-teaching resource requirements
School/Away-Personnel sponsors expiry period for personnel, to keep their account when they leave
School/CS.MathClubs Courtesy email aliases for Math Clubs, etc.
School/CS.Grads extra accounts and mail aliases for grads (not research, e.g. csgsa)
School/CS.UGrad extra accounts for undergrads (currently just csc)
School/Courtesy discretionary accounts for retired faculty, etc.
School/ICR a few accounts for Institute for Computer Research
School/Sessionals-YYMM sessional instructors for term YYMM
School/cs.admin Things which don't fit anywhere else
School/dean.admin CS resources needed by the DOM office
School/se.admin Software Engineering administration and also mail aliases
School/special_events Special Events such as CS days and ACM contests

The files can be changed using a standard text editor. Some files are subject to revision control using RCS.

For a tutorial on editing sponsors files see SponsorsDataEditingTutorial.

After changes have been made, continue with the steps which follow.

Cautionary Notes About Editing the Sponsors Data

IncludeSponsorsDataEditingCaution
In general you should avoid making easy-to-make mistakes.

Nearly all files found in the directory

   /software/accounts-master/data/sponsors/
and all directories beneath it, will be processed by the sponsor_resources command. Exceptions are files whose name begins with . (dot/period) and files in sub-directories which sub-directories are named RCS. If a subdirectory name begins with . (dot/period) then everything beneath it will be ignored (unless referred to explicitly by other files).

The upshot of that is that you cannot place arbitrary files in these directories, or sponsor_resources will stop working correctly.

When editing the sponsors data files, it can often be convenient to copy and modify previously existing lines to create your new additions. If you do that, make sure you correctly change all relevant SponsorshipEnds dates, or remove them as appropriate. Also make sure you delete or change any comments which are irrelevant in the new context. It's better to leave no comments than leave confusing comments.

Consider that the files are intended to help later readers understand the sponsorship situation; use a few comment lines ("#"), and, in general, put a blank line before each ==== line.

Note that id numbers need to be associated with userids. This can be done directly in the AssignTo line as in

      AssignTo: sgamgee:02020202

Or it can be done in the Userids: section at the top of the file.

To help make sure we don't slip up and put a real userid:studentid in one of these pages, we by convention omit :studentid in all examples.

Finally, make sure you remember to use the co command so you leave the file editable by others.

IncludeSponsorResourcesAccountsClient

Run the sponsor_resources program to process the changes

IncludeSponsorsDataRunSponsorResources

sponsor_resources takes the data under /software/accounts-master/data/sponsors and produces per-user requirements in per-machine (actually per-region) files under /software/accounts-master/data/resources. Along the way, it might detect errors in the changes you made. Fix any problems that are reported and keep rerunning sponsor_resources until all errors have gone away.

Here is an example of a "bad run":

@cscf[140]% sponsor_resources
Error: /software/accounts-master/data/sponsors/Research/Terry line 63: Userid 'bjlafren'
 is not a standard userid
FYI:  78150(20697) computings, 1262(1180) printers, 300(0) aliases, 0(0) ppps
FYI:  1 error, 0 warnings, (0 notes)
FYI: expired sponsorship entries:  91 computings, 2 printers, 0 aliases, 0 ppps
@cscf[141]%
In this case, sponsor_resources complained because we used the short version of the userid ("bjlafren"), but it always requires the long version (ie: "bjlafreniere").

This is an example of a "good run":

@cscf[143]% sponsor_resources
FYI:  78151(20697) computings, 1262(1180) printers, 300(0) aliases, 0(0) ppps
FYI:  0 errors, 0 warnings, (0 notes)
FYI: expired sponsorship entries:  91 computings, 2 printers, 0 aliases, 0 ppps
@cscf[144]%

Path to the "sponsor_resources" command

If you don't happen to have the maintenance commands in your path, the path to the sponsor_resources command is:
/software/accounts-master/maintenance/sponsor_resources

Run the userinfo program to verify your changes

IncludeSponsorsDataRunUserinfo

Run the userinfo command before and after you make your changes to verify that its output reflects your intended changes. More details are here.

Run the accounts-client program

IncludeSponsorsDataRunAccountsClient

accounts-client {hostname, eg:core.cs} >& ~/hostname-date &

This will cause the desired changes to actually happen on the appropriate machine (hostname; what is described as "Computing:" in the sponsor file, which may in turn affect a region of machines). /etc/passwd and /etc/group file will be updated if necessary, as will system quota files, and home directories will be created for any newly-created users. The diagnostic output from the job will be written to the given filename in your home directory. eg:

   accounts-client softbase.cs >& ~/softbase-20100208 &
   
If your changes will cause changes on multiple regions, you will need to run the command for each. eg:
   accounts-client student.cs >& ~/student-20100208 &
   accounts-client core.cs >& ~/core-20100208 &
   
If you run accounts-client with no name, all known regions are updated. eg:
   accounts-client >& ~/ac-all-20100208 &
   
That can take a long time to finish.

Path to the "accounts-client" command

If you don't happen to have the maintenance commands in your path, the path to the accounts-client command is:
/software/accounts-master/maintenance/accounts-client

Setting the Password

IncludeSponsorsDataSetPassword
Once an account has been created or if someone forgets their password, the password for the account must be (re)set.

That must be done by logging into a machine where the account has been created.

For the example of the core environment, that must actually be done by logging in to any of the core.cs Unix systems except for core.cs itself (due to a software problem)

For example

   ssh cpu102.cs
   
and running the "password" command, e.g.
   password +r TheUserid=
   
That will generate a random password for TheUserid. Give the password to the person owning the userid, or their "point of contact". Suggest that the password should be changed as soon as possible. Users will usually want to do that, as the password is hard to remember.

For the student.cs Unix systems, you must choose a machine other than student.cs. Additionally the chosen machine must be running the Solaris operating system. Therefore use...

   ssh cpu-solaris.student.cs
   

For older regions such as ai0.uwaterloo.ca, softbase.cs (which includes ds1,cs) the named regional server can be used. For newer systems, arrangements will need to be made to set the CS-GENERAL Active Directory password.

Note that only users in group accounts can change other users' passwords in this manner.

Documentation

IncludeSponsorsDataDocumentation

The following traditional UNIX man page documentation describes the sponsors data base in a technical fashion. As you become familiar with how things work in general, you might find this documentation good for checking specific details.

-- AdrianPepper - 16 Jun 2010

Topic revision: r11 - 2010-10-26 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.


Edit

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2014 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback