Users

Adding Users - Debian

There are 2 ways to add a user: useradd, and adduser. With the first, you specify the username and all the settings on the command-line. The second walks you through the process, asking you all the necessary questions.

For useradd, a command similar to the following should be used:

useradd -m -u 10999 -g useracct -G bronze -s /bin/bash -c 'John Doe' johndoe

To keep uids synched between the 2 (and possibly 4) systems, you must manually inspect /etc/passwd on each system to find the next available UID common to all systems. Then use this command to add the user on each Linux system. Add users to all systems at the same time since it is easy to forget to do this later. Use the same shell and shell path on all systems. Use the same UID, GID, secondary groups, GECOS (-c) information, etc. All UID and GID numbers for accounts created must be over 10000 to avoid conflict with any predefined UID/GID numbers on future systems. Don't use group "users" since the GID changes from system to system, use "useracct". Group numbers not related to individual accounts should be in the range 11000 to 11999.

Conflicts and inconsistencies as of July 2006:

  • Several temporary installation accounts have different UID and GID between bud and budlight.
  • The same UID/GID is used for different temporary installation accounts between the systems.
  • Account majordomo is only defined on bud.

Groups - Debian

These groups seem to be important in Debian:

GroupFunction
wheelWe've got it set up so these folks can sudo without a root password.
sudoI believe users in this group get automatic sudo access; we're using wheel instead.
dialoutUsers who can access the modem.
cdromUsers who can access a CD-ROM disc.
floppyUsers who can access the floppy drive.
audioUsers who can access the audio devices.
videoUsers who can access the video devices.
plugdev
diskUsers who can access the raw disk partitions. (Dangerous!)
backup
operator
list
www-dataThis is the user/group that Apache runs as; anything Apache uses has to be accessible by this user or group.

In addition, we've defined these groups (mainly grabbed from Michelob's /etc/group file):

GroupGIDFunction
wheelWe've got it set up so these folks can sudo without a root password.
usersDefault group that all users should belong to.
newslettNot sure if it's used; only member is editor.
steercomAd-hoc list of Steering Committee attendees, who can access steercom directory on Michelob.
webheadUsers who have write access to our web sites.
majordomUsed for mailing list management; lists account is included.
useracct11025Accounts for real live users, as opposed to system accounts, shared accounts, etc.
platinum11111Members who have paid for the Platinum membership level.
gold11112Members who have paid for the Gold membership level.
silver11113Members who have paid for the Silver membership level.
bronze11114Members who have paid for the Bronze membership level.

TODO: Create groups for:

  • users who have paid up for the current year (paid2006, etc.)
    • Since we're now renewing memberships year-round, this no longer makes sense.
    • We should probably have accounts expire when the renewal is due.
      • We should have the passwords expire every 90 days, at the least.
        • Although we need to allow users to change their passwords on Bud before we do that.
  • voting members, as defined by our articles of incorporation / by-laws
    • Doesn't make sense, since that's not used for anything except voting, and changes every year.
  • officers
  • board members
  • "administrative" accounts, which are accounts used for SLUUG business, not individual use

Adding Groups - Debian

As with users, there are 2 ways to add a group: groupadd, and addgroup.

groupadd -g gid groupname

TODO: Adding users to groups.

Administrators

TODO: Adding sudoers. What groups should administrators be in? So far, it looks like wheel will suffice.

Using a User Account

TODO: Add info about how they can change their settings. Especially things like chfn, chsh, .forward, .profile, .bashrc, passwd, etc.

This should go on a user documentation page, not a "build" page.

Migrating User Accounts

Problem areas:

How can we migrate accounts from michelob and dark with the least hassle? User UIDs on our AIX systems start at 500. (Although there are a few in the 100 range.) On Debian, they start at 1000.

Conflicting groups (None are standard AIX, they are SLUUG specific):

  • Serious problems:
    • users On SLUUG AIX is 25 - On debian is 100 while GID 25 is "floppy".
  • Minor problems:
    • nobody On AIX is GID 4294967294 - On debian it doesn't exist, but has "nogroup" at 65534". Other distros use 99 or 65533 for group "nobody". Some systems have "nogroup" or "nfsnobody" at GID 65534.
    • steercom On SLUUG AIX is 35 - On Debian 35 is unused.
    • webhead On SLUUG AIX is 80 - On Debian 80 is unused.
    • motd On SLUUG AIX is 29 - On debian there is no motd group and GID 29 is used for "audio".
    • newslett On SLUUG AIX is 30 - On debian GID 30 is "dip".

Possible user conflicts:

  • "lists" on AIX at UID 668 - On debian "list" is UID 38.
  • "webhead" on AIX at UID 600, GID 80 - On debian "www-data" is UID and GID 33.
    • The home directory for www-data (/var/www) is not being used for the SLUUG web site, on bud it is being put in /home/web.

What to change as preparation for the move:

Group/GID changes on old systems:

  • Change group "steercom" from GID 35 to 11035, including files owned by it.
  • Change group "users" from GID 25 to 11025, including files owned by it.
    • Includes changing GID of all users in 25 to 11025.
    • Or change all individual users to their own group?
  • Create new group "useracct" at GID 11025, after "users" in the file.
  • Create new group "users25" at GID 25 for reference, no members.

User/UID changes on old systems:

  • Move all passwords to shadow file.
  • Renumber 7 existing accounts with a UID in the 100-299 range, including files owned by them.

Software preparation on new systems:

  • Install ksh93, tcsh, and csh using the procedure on the misc page.
  • Also install rsync for cross-system backups. Documented on the misc page.

Group/GID changes on new systems:

  • Create new group "nobody4g" at GID 4294967294.
    • Or create new group "nobody64k" at GID 65533 and new group "nobody4g" at GID 4294967294.
  • Create new group "steercom" at GID 11035.
  • Create new group "useracct" at GID 11025, before "users".
  • Change GID of existing group "users" to 11025.
groupadd -g 4294967294 nobody4g
groupadd -g      65533 nobody64k
groupadd -g      11035 steercom 
groupadd -g      11025 useracct
groupmod -g      11025 -o users 
Edit /etc/group and /etc/gshadow.  Move "useracct" just before "users".

When tried 01/30/08 on the reloaded systems, unable to add the group with GID 4294967294 because the groupadd command failed with error message "invalid numeric argument '4294967294'". This worked before the systems were reloaded.

User/UID changes on new systems:

  • Rename 6 installation accounts with the same name as an existing user account. Do not change UID or GID number. For the reloaded systems, there are different accounts on each system, and the decision was to not rename them, but to not copy them from michelob and change the UID of the existing accounts. So this step was not done on the reloaded systems.
  - Repeat for each account:
        acct=____
        usermod  -l ${acct}inst -d /home/${acct}inst ${acct}
        groupmod -n ${acct}inst                      ${acct}
        mv           /home/${acct}           /home/${acct}inst
      + Cron and at jobs
        ls -lR /var/spool/cron/ | grep ${acct}
        mv /var/spool/cron/crontabs/${acct} /var/spool/cron/crontabs/${acct}inst
      + Mail spool (Taken care of by usermod)
        ls -l /var/mail | grep ${acct}
        mv /var/mail/${acct} /var/mail/${acct}inst
        chown   ${acct}inst  /var/mail/${acct}inst
      + Misc
        grep ${acct} /etc/aliases
        grep ${acct} /etc/group  # Taken care of by usermod
        grep ${acct} /etc/sudoers
        ps -ef | grep ${acct} | egrep -v 'ps|grep'
      + Mailing lists
          = Not installed yet.
      + Personal web pages
          = Not installed yet.
  - Edit /etc/group and:
      + Make a backup first (or already done above).
      + For the wheel group, duplicate each account being renamed
        with the old and new name.
      + Also add one account to the wheel group on budlight that is
        listed on bud, but not budlight.
      + Put them in the same order on both systems for comparison.
      + For other groups, such as lugs, remove the "inst" from the accounts.

Do the migration:

Migration actions:

  • Extract information from normal and shadow passwd files on michelob.
        work_base="/home/yourself/xfer/user_mig"        # On michelob/dark
        pgm_base="${work_base}"                         # On michelob/dark
        in_data_dir="${work_base}/`hostname`"           # On michelob/dark
        out_data_dir="${in_data_dir}"                   # Kludge
        mkdir "${in_data_dir}" "${in_data_dir}/security" "${out_data_dir}"
        cp -p /etc/passwd          "${in_data_dir}"/passwd
        cp -p /etc/security/passwd "${in_data_dir}"/security/passwd
        chown -R yourself "${in_data_dir}"
  • Filter and translate to Debian format.
        "${pgm_base}"/odm-comb.pl \
            < "${in_data_dir}"/security/passwd \
            > "${out_data_dir}"/security-passwd-comb
        "${pgm_base}"/filter_passwd.pl \
            2>&1 | tee "${work_base}"/filter_passwd.log

The code is documented on filter_passwd.pl and odm-comb.pl.

  • Add to normal and shadow passwd files on bud and budlight.
# - Upload to /home/yourselfinst/xlated on each system:
      + The three generated files in the xlated directory.
      + make_home_dir (Put in xlated directory).
# - Make backups of passwd and shadow ....
        stamp=`date '+%y%m%d-%H%M'`
        backup_dir="/home/yourselfinst/user_mig-backup-$stamp"
        mkdir      "${backup_dir}"
        chmod  700 "${backup_dir}"
        cp -p /etc/passwd /etc/shadow /etc/group /etc/gshadow "${backup_dir}"
# - Add to normal and shadow passwd files on bud and budlight.
        export work_base="/home/yourselfinst/xlated"              # On bud/budlight
        cd ${work_base}
        cat passwd-additions >> /etc/passwd
        cat shadow-additions >> /etc/shadow
  • Create empty home directories for each account.
        sh home_dir-additions \
        2>&1 | tee "${work_base}"/home_dir-additions.log
  • Inform users of status.

Do not migrate:

  • Any account that has been terminated (the name starts with "LCK").
  • Any account that doesn't have "users" as the primary group.

Special accounts not done during move of general users:

  • archive - Majordomo List Archive. TBD.
  • webhead - WWW Server Master. TBD.
  • spamd - SpamAssassin and MailScanner Daemon. TBD.
  • majordom - Majordomo daemon. An account called majordomo at UID 1008 was already created.
  • postgres - Postgres Daemon. Never put in production, ignore.
  • sshd - Secure Shell Daemon. Use default account from Debian installation.
  • smmsp - Sendmail Message Submission Program. Not using sendmail, ignore.

Accounts and groups will be taken from michelob since it is the primary user system, though the main difference between michelob and dark is some user passwords and minor details. The same user accounts are on both.

Solaris

Adding a new user

Coordinate account name, UID, GID, etc. with other systems as detailed above in Adding Users.

Create the personal group if that is being used. For that, the GID is the same as the UID.

groupadd \
    -g GID \
    ACCOUNT_NAME

Create the account.

useradd \
    -u UID \
    -g GID \
    -c "GECOS USER NAME" \
    -s /PATH/TO/SHELL \
    -d /export/home/ACCOUNT_NAME \
    -m \
    ACCOUNT_NAME

Make the home directory accessible only by the user.

chmod go= /export/home/ACCOUNT_NAME

Set the initial password, force a password change at the next login, check status.

passwd    ACCOUNT_NAME
passwd -f ACCOUNT_NAME
passwd -s ACCOUNT_NAME

Other user maintenance

See the listusers, usermod, and userdel commands

 
build/users.txt · Last modified: 2010/09/23 18:07 by SLUUG Administration
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki