Infrastructure Management
From CSLabsWiki
This page serves to be a quick but complete reference of various infrastructure-related tasks.
Contents
Emergency operations: I NEED to...
Operations: How do I...
...list users?
Method 1 (LDAP information users on enrolled machines)
Privilege level: Users
On any machine, run getent passwd
and view the entries with a UID (third field) >= 1000000 (1 million).
Method 2 (LDAP information, raw query)
Privilege level: Anyone
On any machine with the OpenLDAP client binaries, run ldapsearch -H ldap://talos.cslabs.clarkson.edu/ -D "" -b ou=users,dc=cslabs,dc=clarkson,dc=edu
and try to grok the resulting LDIF.
Method 3 (Kerberos users principals)
Privilege level: Administrators
- Login to
kadmin
On any enrolled machine, run kadmin (kadmin -p username/admin
), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can usekadmin.local
as root. - Run
getprincs
.
...create a new user?
Privilege level: Administrators
- First, login to PLA
Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password. - Expand dc=cslabs,dc=clarkson,dc=edu, then expand ou=users.
- Click Create new entry here immediately under ou=users.
- In the right pane, select Generic: User Account.
- Enter relevant account information, setting the following attributes. (This is going to be a little challenging, because some of the fields automatically populate from other fields. Check your work before saving it.)
- User ID must be a valid Unix username. cn is traditionally set to the same value. (These fields like to populate from name, so change them after name.)
- GID number should almost always be users (it's actually a drop-down).
- Home directory should be
/mnt/home/username
. This will be set up momentarily. - Login shell can be left up to preference of users, but should be set to
/bin/sh
for maintainers and administrators to avoid being refused a session on a machine that doesn't have a certain shell. - The UID Number cannot be changed here. It will be done after saving.
- Critical section: Perform these steps as a single transaction, and as quickly as possible!Click Create Object, and accept the changes. From the next screen in the right pane, confirm adding the object; then, immediately go to the newly added object and change the UID Number field to a proper value (ours start at one million [1000000] and go up; use
getent passwd
on any enrolled machines to get the current ID mappings and choose one that isn't allocated). Click Update Object, then again click through to confirm the changes. - Double-check the fields while you're here; if you need to change anything, do so, click Update Object, and click through the confirmation.
- Have the user type their password in the password field; make sure to set the hash method to ssha (or something stronger than MD5). Update Object, click through to confirm.
- If the user is to be a member of other groups, enter the ou=groups unit in the left pane and select the relevant groups. From the right pane, you may select modify group members under the memberUID field. After you're done modifying the members, remember to click through the confirmation.
- Then, login to
kadmin
On any enrolled machine, run kadmin (kadmin -p username/admin
), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can usekadmin.local
as root. - Run
addprinc username
. Have the user enter their password, which should, for ease of use, be the same as the LDAP password. - For administrators, also run
addprinc username/admin
for an administrative principal (one to use withkadmin
etc.). This should not be the same password. - Finally, login to Metapod
- cd to
/storage/home/
, andmkdir username
. Then,chown username:username username
That should be it!
...delete a user?
First off, this usually doesn't need to be done. Nonetheless, these instructions are included for completeness.
- First, login to PLA
Navigate to phpLDAPAdmin on Talos (alt link), accept any certificate, click "Login" on the left, and enter the full DN of your account (for example, cn=lannonbr,ou=users,dc=cslabs,dc=clarkson,dc=edu) as the username, as well as your password. - In the left pane, navigate to ou=users,dc=cslabs,dc=clarkson,dc=edu.
- Select the user you'd like to delete under this OU.
- In the right pane, click Delete this entry. If you are satisfied, confirm this action. This cannot be undone.
- Then, login to
kadmin
On any enrolled machine, run kadmin (kadmin -p username/admin
), where username/admin is your administrative Kerberos principal. Additionally, on Talos, you can usekadmin.local
as root. - Issue
delprinc username
. - For administrative users, also issue
delprinc username/admin
.
You should stop here. However, if data loss is of little concern to you (which is wrong and I have strong words to the contrary if you fite me irl), you can also login to Metapod and rm -rf /storage/home/username
as root.
...enroll a Debian machine in central authentication?
This section is under construction!
For now, refer to the bottom of the great Talos book. The headings there practically enumerate the list that will go here, anyway.
For now, refer to the bottom of the great Talos book. The headings there practically enumerate the list that will go here, anyway.
Change a motherf***ing password?
Nag Graham.