This page serves to be a quick but complete reference of various infrastructure-related tasks.
- 1 Emergency operations: I NEED to...
- 2 Operations: How do I...
- 2.1 ...list users?
- 2.2 ...create a new user?
- 2.3 ...change my password?
- 2.4 ...change a password?
- 2.5 ...change group memberships?
- 2.6 ...delete a user?
- 2.7 ...enroll a Debian machine in central authentication?
Emergency operations: I NEED to...
...disconnect the Internet.
Operations: How do I...
Method 1 (LDAP information users on enrolled machines)
On any machine, run
getent passwd and view the entries with a UID (third field) >= 1000000 (1 million).
Method 2 (LDAP information, raw query)
On any machine with the OpenLDAP client binaries, run
ldapsearch -H ldap://talos.cslabs.clarkson.edu/ -D "" -b ou=users,dc=cslabs,dc=clarkson,dc=edu and try to grok the resulting LDIF.
Method 3 (Kerberos
...create a new user?
- Expand dc=cslabs,dc=clarkson,dc=edu, then expand ou=users.
- Click Create new entry here immediately under ou=users.
- In the right pane, select Generic: User Account.
- Enter relevant account information, setting the following attributes. (This is going to be a little challenging, because some of the fields automatically populate from other fields. Check your work before saving it.)
- User ID must be a valid Unix username. cn is traditionally set to the same value. (These fields like to populate from name, so change them after name.)
- GID number should almost always be users (it's actually a drop-down).
- Home directory should be
/mnt/home/username. This will be set up momentarily.
- Login shell can be left up to preference of users, but should be set to
/bin/shfor maintainers and administrators to avoid being refused a session on a machine that doesn't have a certain shell.
- The UID Number cannot be changed here. It will be done after saving.
- Double-check the fields while you're here; if you need to change anything, do so, click Update Object, and click through the confirmation.
- Have the user type their password in the password field; make sure to set the hash method to ssha (or something stronger than MD5). Update Object, click through to confirm.
- If the user is to be a member of other groups, enter the ou=groups unit in the left pane and select the relevant groups. From the right pane, you may select modify group members under the memberUID field. After you're done modifying the members, remember to click through the confirmation.
addprinc username. Have the user enter their password, which should, for ease of use, be the same as the LDAP password.
- For administrators, also run
addprinc username/adminfor an administrative principal (one to use with
kadminetc.). This should not be the same password.
- Finally, login to Bacon
- cd to
mkdir username. Then,
chown username:users username
That should be it!
...change my password?
- If you are not on an enrolled machine, log in to one; for example, you may ssh into Phoenix or another reachable host.
passwdin the terminal of any enrolled machine.
- Enter current and new passwords for passwords you want to change. It is recommended that you keep the Kerberos and LDAP passwords the same. With rare exceptions, you should ignore the UNIX password.
Method 2: Application-specific interfaces
- Expand ou=users,dc=cslabs,dc=clarkson,dc=edu in the left pane, and find your DN (cn=<your username>).
- Enter your new password in the password pane; ensure that the dropdown next to the field is still ssha or similarly secure (not "clear").
- Click Update Object, then confirm the changes on the next screen.
- Then, get to a terminal on an enrolled machine (you may log in to a lab machine or ssh into Phoenix, for example).
kpasswdand follow the prompts.
...change a password?
This is very similar to the above--you'll need to do this in two places, again, sorry.
- (For setting only the password of an administrative principal, skip to the KAdmin section, below.)
- Expand ou=users,dc=cslabs,dc=clarkson,dc=edu in the left pane, and find the user.
- Instruct the user to enter their password in the two password fields (warning: the tab order is wrong; from the keyboard, you need to enter password<Tab><Tab>password).
- Ensure the hash (the dropdown to the right) is still ssha or similarly secure (not "clear").
- Click Update Object, then confirm the changes.
cpw username, and instruct the user to enter their password at the prompt. This should generally be the same as the LDAP password.
- For administrative principals, also issue
cpw username/adminand do the same. This should not be the same as the LDAP password.
...change group memberships?
- Enter the groups OU, ou=groups,dc=cslabs,dc=clarkson,dc=edu, in the left pane.
- Select any one of the groups of which you'd like to modify memberships.
- Under the memberUid field, click modify group memberships.
- Add or remove users as you see fit.
- Click Update Object, and click through the confirmation page.
Changes take effect immediately upon the next logins of the modified users, though the caches may occasionally disagree for a few minutes. If any of the hosts aren't showing updates, wait a few minutes or run
nscd -i group (
nscd -I group on Bacon).
...delete a user?
First off, this usually doesn't need to be done. Nonetheless, these instructions are included for completeness.
- In the left pane, navigate to ou=users,dc=cslabs,dc=clarkson,dc=edu.
- Select the user you'd like to delete under this OU.
- In the right pane, click Delete this entry. If you are satisfied, confirm this action. This cannot be undone.
- For administrative users, also issue
You should stop here. However, if data loss is of little concern to you (which is wrong and I have strong words to the contrary if you fite me irl), you can also login to Bacon and
rm -rf /storage/home/username as root.