This page serves to be a quick but complete reference of various infrastructure-related tasks.
- 1 Emergency operations: I NEED to...
- 2 Operations: How do I...
- 2.1 ...list users?
- 2.2 ...create a new user?
- 2.3 ...delete a user?
- 2.4 ...enroll a Debian machine in central authentication?
- 2.5 Change a motherf***ing password?
Emergency operations: I NEED to...
Operations: How do I...
Method 1 (LDAP information users on enrolled machines)
On any machine, run
getent passwd and view the entries with a UID (third field) >= 1000000 (1 million).
Method 2 (LDAP information, raw query)
On any machine with the OpenLDAP client binaries, run
ldapsearch -H ldap://talos.cslabs.clarkson.edu/ -D "" -b ou=users,dc=cslabs,dc=clarkson,dc=edu and try to grok the resulting LDIF.
Method 3 (Kerberos
...create a new user?
- Expand dc=cslabs,dc=clarkson,dc=edu, then expand ou=users.
- Click Create new entry here immediately under ou=users.
- In the right pane, select Generic: User Account.
- Enter relevant account information, setting the following attributes. (This is going to be a little challenging, because some of the fields automatically populate from other fields. Check your work before saving it.)
- User ID must be a valid Unix username. cn is traditionally set to the same value. (These fields like to populate from name, so change them after name.)
- GID number should almost always be users (it's actually a drop-down).
- Home directory should be
/mnt/home/username. This will be set up momentarily.
- Login shell can be left up to preference of users, but should be set to
/bin/shfor maintainers and administrators to avoid being refused a session on a machine that doesn't have a certain shell.
- The UID Number cannot be changed here. It will be done after saving.
- Double-check the fields while you're here; if you need to change anything, do so, click Update Object, and click through the confirmation.
- Have the user type their password in the password field; make sure to set the hash method to ssha (or something stronger than MD5). Update Object, click through to confirm.
- If the user is to be a member of other groups, enter the ou=groups unit in the left pane and select the relevant groups. From the right pane, you may select modify group members under the memberUID field. After you're done modifying the members, remember to click through the confirmation.
addprinc username. Have the user enter their password, which should, for ease of use, be the same as the LDAP password.
- For administrators, also run
addprinc username/adminfor an administrative principal (one to use with
kadminetc.). This should not be the same password.
- Finally, login to Metapod
- cd to
mkdir username. Then,
chown username:username username
That should be it!
...delete a user?
First off, this usually doesn't need to be done. Nonetheless, these instructions are included for completeness.
- In the left pane, navigate to ou=users,dc=cslabs,dc=clarkson,dc=edu.
- Select the user you'd like to delete under this OU.
- In the right pane, click Delete this entry. If you are satisfied, confirm this action. This cannot be undone.
- For administrative users, also issue
You should stop here. However, if data loss is of little concern to you (which is wrong and I have strong words to the contrary if you fite me irl), you can also login to Metapod and
rm -rf /storage/home/username as root.
...enroll a Debian machine in central authentication?
Change a motherf***ing password?