Difference between revisions of "Admin reference"

From ProgClub
Jump to: navigation, search
(Kerberos administration)
(Adding a new user)
Line 38: Line 38:
  
 
== Adding a new user ==
 
== Adding a new user ==
 +
 +
=== Updating members database ===
 +
 +
At the moment member information is recorded in [[Members]]. A member should have a Wiki account to start with, then an entry in the [[Members]] page (where they are allocated a member number), then the "User info" on their user page should be filled out (leave fields as "Not disclosed" unless you have their permission to publish their details). After the [[Members]] page has been updated you will have:
 +
 +
* {username}: the Unix/Kerberos username of the new member
 +
* {member number}: the member's User ID
 +
* {group}: whether the user has 'sudo' membership or not
 +
** there are two groups at ProgClub: 'sudo' and 'user'
 +
*** everyone is in 'user' (gidNumber == 500)
 +
*** administrators are in 'sudo' (gidNumber == 27)
 +
 +
And that's enough information to create their account as detailed below.
  
 
=== Kerberos administration ===
 
=== Kerberos administration ===
Line 45: Line 58:
 
* SSH to charity.progclub.org
 
* SSH to charity.progclub.org
 
* Login
 
* Login
* Run kadmin addprinc, i.e. $ sudo kadmin -p {your username} -q "addprinc {username}"
+
* Run kadmin addprinc:
 +
 
 +
$ sudo kadmin -p {your username} -q "addprinc {username}"
 +
 
 
** Note: use sudo so that the log file can be written
 
** Note: use sudo so that the log file can be written
 
** {your username} is your ProgClub username
 
** {your username} is your ProgClub username
Line 57: Line 73:
  
 
  $ sudo /etc/init.d/krb5-admin-server restart
 
  $ sudo /etc/init.d/krb5-admin-server restart
 +
 +
=== Creating home directory or administrative login ===
 +
 +
* SSH to charity.progclub.org
 +
* Login
 +
 +
If you are creating an administrative account, run:
 +
 +
# adduser --uid {member number} --gid 27 {username}
 +
 +
If you are creating a normal user account, run:
 +
 +
# adduser --uid {member number} --gid 500 --disabled-password {username}
 +
# deluser {username}
 +
 +
(This creates the user's home directory)
  
 
=== LDAP administration ===
 
=== LDAP administration ===
Line 70: Line 102:
 
* ObjectClass: inetOrgPerson
 
* ObjectClass: inetOrgPerson
 
* Select the RDN attribute: Username (uid)
 
* Select the RDN attribute: Username (uid)
* Enter 'cn', this is the Common Name, i.e. the user's full name
+
* Enter 'cn', this is the Common Name, i.e. the user's full name, or their username
* Enter 'sn', this is the Surname, i.e. the user's last name
+
* Enter 'sn', this is the Surname, i.e. the user's last name, if it's disclosed, else blank
* Enter 'displayName', i.e. the user's full name
+
* Enter 'displayName', i.e. the user's full name, if it's disclosed, else blank
* Enter 'Email', i.e. the user's email address
+
* Enter 'Email', i.e. the user's email address, if it's disclosed, else blank
* Enter 'givenName', i.e. the user's first name
+
* Enter 'givenName', i.e. the user's first name, it's disclosed, else blank
* Enter 'Password', type in lots of junk, set to MD5
 
 
* Enter 'Username', this is their Posix username, all lowercase
 
* Enter 'Username', this is their Posix username, all lowercase
 
* Click 'Create Object'
 
* Click 'Create Object'
Line 81: Line 112:
 
* Scroll down to 'objectClass' and click 'add value'
 
* Scroll down to 'objectClass' and click 'add value'
 
* Select 'posixAccount'
 
* Select 'posixAccount'
* Enter the 'gidNumber': 500 for admin, 501 for user
+
* Enter the 'gidNumber': 27 for admin, 500 for user
 
* Enter the 'homeDirectory': /home/{username}, e.g. /home/jj5
 
* Enter the 'homeDirectory': /home/{username}, e.g. /home/jj5
 
* Enter the 'uidNumber': this is the member number allocated on the web-site in [[Members]]
 
* Enter the 'uidNumber': this is the member number allocated on the web-site in [[Members]]

Revision as of 23:42, 14 August 2011

__NOTITLE__ This page is a reference for ProgClub system administrators. For information about ProgClub domains, see Domains. For information about member services, see Services. See Machines for information about hosts on the ProgClub network. See Projects for current projects or check out our Forums to get in touch.

Administrative reference

If you're administering ProgClub assets, please document your actions on the wiki. See the relevant pages:

See Future machine names for the kind of stuff we're on about.

See, or update, Network administration for work that needs to be done.

Etckeeper

Etckeeper is now installed on Charity, which means the correct procedure after making edits to files in /etc is to issue:

$ sudo etckeeper commit "my reasoning here"

after you're done with your changes. There's an auto commit every day, and an autocommit whenever you apt-get install something. You can manually commit your changes as above. To see the commit log for a particular file:

$ sudo bzr log /etc/passwd

To revert an unwanted or bad change, work out which revision you want to revert to (see log above) and run:

$ sudo bzr revert --revision <commit number> <file>

For example, to restore the /etc/passwd file to the state it was in in revision 3,

$ sudo bzr revert --revision 3 /etc/passwd

To check for uncommited changes, run (From inside /etc):

$ sudo bzr status

For example:

$ sudo bzr status
modified:
  crontab

If you see no output, there are no uncommited changes.

Adding a new user

Updating members database

At the moment member information is recorded in Members. A member should have a Wiki account to start with, then an entry in the Members page (where they are allocated a member number), then the "User info" on their user page should be filled out (leave fields as "Not disclosed" unless you have their permission to publish their details). After the Members page has been updated you will have:

  • {username}: the Unix/Kerberos username of the new member
  • {member number}: the member's User ID
  • {group}: whether the user has 'sudo' membership or not
    • there are two groups at ProgClub: 'sudo' and 'user'
      • everyone is in 'user' (gidNumber == 500)
      • administrators are in 'sudo' (gidNumber == 27)

And that's enough information to create their account as detailed below.

Kerberos administration

To create a new user in Kerberos:

  • SSH to charity.progclub.org
  • Login
  • Run kadmin addprinc:
$ sudo kadmin -p {your username} -q "addprinc {username}"
    • Note: use sudo so that the log file can be written
    • {your username} is your ProgClub username
    • {username} is the ProgClub username of the user your are adding

If the user is an administrator, add them to /etc/krb5kdc/kadm5.acl. E.g., at the end of the file,

username@PROGCLUB.ORG *

replacing 'username' as appropriate. You need to restart the Kerberos administration server after this change:

$ sudo /etc/init.d/krb5-admin-server restart

Creating home directory or administrative login

  • SSH to charity.progclub.org
  • Login

If you are creating an administrative account, run:

# adduser --uid {member number} --gid 27 {username}

If you are creating a normal user account, run:

# adduser --uid {member number} --gid 500 --disabled-password {username}
# deluser {username}

(This creates the user's home directory)

LDAP administration

To create a user in LDAP:

  • Open the LDAP administration tool
  • Login: cn=admin,dc=progclub,dc=org
  • Navigate to: ou=users
  • Click 'Create new entry here'
  • Choose 'Default'
  • Container should be: ou=users,dc=progclub,dc=org
  • ObjectClass: inetOrgPerson
  • Select the RDN attribute: Username (uid)
  • Enter 'cn', this is the Common Name, i.e. the user's full name, or their username
  • Enter 'sn', this is the Surname, i.e. the user's last name, if it's disclosed, else blank
  • Enter 'displayName', i.e. the user's full name, if it's disclosed, else blank
  • Enter 'Email', i.e. the user's email address, if it's disclosed, else blank
  • Enter 'givenName', i.e. the user's first name, it's disclosed, else blank
  • Enter 'Username', this is their Posix username, all lowercase
  • Click 'Create Object'
  • Review the entry and click 'Commit'
  • Scroll down to 'objectClass' and click 'add value'
  • Select 'posixAccount'
  • Enter the 'gidNumber': 27 for admin, 500 for user
  • Enter the 'homeDirectory': /home/{username}, e.g. /home/jj5
  • Enter the 'uidNumber': this is the member number allocated on the web-site in Members
  • Click 'Add ObjectClass and Attributes'
  • Review the entry and click 'Update Object'
  • Scroll down to 'objectClass' and click 'add value'
  • Select 'shadowAccount'
  • Click 'Add new ObjectClass'