Difference between revisions of "Infrastructure Management"

From CSLabsWiki
Jump to: navigation, search
Line 71: Line 71:
  
 
{{:Infrastructure Management/Todo|content=For now, refer to the bottom of the great [[Talos]] book. The headings there practically enumerate the list that will go here, anyway.}}
 
{{:Infrastructure Management/Todo|content=For now, refer to the bottom of the great [[Talos]] book. The headings there practically enumerate the list that will go here, anyway.}}
 +
 +
=== Change a motherf***ing password? ===
 +
Nag Graham.

Revision as of 22:46, 31 August 2015

This page serves to be a quick but complete reference of various infrastructure-related tasks.

Emergency operations: I NEED to...

Todo.png
This section is under construction!
 

Operations: How do I...

...list users?

Method 1 (LDAP information users on enrolled machines)

Privilege level: Users
 

On any machine, run getent passwd and view the entries with a UID (third field) >= 1000000 (1 million).

Method 2 (LDAP information, raw query)

Privilege level: Anyone
 

On any machine with the OpenLDAP client binaries, run ldapsearch -H ldap://talos.cslabs.clarkson.edu/ -D "" -b ou=users,dc=cslabs,dc=clarkson,dc=edu and try to grok the resulting LDIF.

Method 3 (Kerberos users principals)

Privilege level: Administrators
 
  1. Kerberos.jpg
    Login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  2. Run getprincs.

...create a new user?

Privilege level: Administrators
 
  1. PLA Logo Small.png
    First, login to PLA
    Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password.
     
  2. Expand dc=cslabs,dc=clarkson,dc=edu, then expand ou=users.
  3. Click Create new entry here immediately under ou=users.
  4. In the right pane, select Generic: User Account.
  5. Enter relevant account information, setting the following attributes. (This is going to be a little challenging, because some of the fields automatically populate from other fields. Check your work before saving it.)
    • User ID must be a valid Unix username. cn is traditionally set to the same value. (These fields like to populate from name, so change them after name.)
    • GID number should almost always be users (it's actually a drop-down).
    • Home directory should be /mnt/home/username. This will be set up momentarily.
    • Login shell can be left up to preference of users, but should be set to /bin/sh for maintainers and administrators to avoid being refused a session on a machine that doesn't have a certain shell.
    • The UID Number cannot be changed here. It will be done after saving.
  6. Critical section.gif
    Critical section: Perform these steps as a single transaction, and as quickly as possible!
    Click Create Object, and accept the changes. From the next screen in the right pane, confirm adding the object; then, immediately go to the newly added object and change the UID Number field to a proper value (ours start at one million [1000000] and go up; use getent passwd on any enrolled machines to get the current ID mappings and choose one that isn't allocated). Click Update Object, then again click through to confirm the changes.
     
  7. Double-check the fields while you're here; if you need to change anything, do so, click Update Object, and click through the confirmation.
  8. Have the user type their password in the password field; make sure to set the hash method to ssha (or something stronger than MD5). Update Object, click through to confirm.
  9. If the user is to be a member of other groups, enter the ou=groups unit in the left pane and select the relevant groups. From the right pane, you may select modify group members under the memberUID field. After you're done modifying the members, remember to click through the confirmation.
  10. Kerberos.jpg
    Then, login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  11. Run addprinc username. Have the user enter their password, which should, for ease of use, be the same as the LDAP password.
  12. For administrators, also run addprinc username/admin for an administrative principal (one to use with kadmin etc.). This should not be the same password.
  13. Finally, login to Metapod
  14. cd to /storage/home/, and mkdir username. Then, chown username:username username

That should be it!

...delete a user?

First off, this usually doesn't need to be done. Nonetheless, these instructions are included for completeness.

  1. PLA Logo Small.png
    First, login to PLA
    Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password.
     
  2. In the left pane, navigate to ou=users,dc=cslabs,dc=clarkson,dc=edu.
  3. Select the user you'd like to delete under this OU.
  4. In the right pane, click Delete this entry. If you are satisfied, confirm this action. This cannot be undone.
  5. Kerberos.jpg
    Then, login to kadmin
    On any enrolled machine, run kadmin (kadmin -p username/admin), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can use kadmin.local as root.
     
  6. Issue delprinc username.
  7. For administrative users, also issue delprinc username/admin.

You should stop here. However, if data loss is of little concern to you (which is wrong and I have strong words to the contrary if you fite me irl), you can also login to Metapod and rm -rf /storage/home/username as root.

...enroll a Debian machine in central authentication?

Todo.png
This section is under construction!
For now, refer to the bottom of the great Talos book. The headings there practically enumerate the list that will go here, anyway.
 

Change a motherf***ing password?

Nag Graham.