build:users
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
build:users [2006/07/26 13:24] 128.252.19.12 |
build:users [2010/09/23 18:07] (current) SLUUG Administration |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| - | + | ===== Adding Users - Debian ===== | |
| - | + | ||
| - | ===== Adding Users ===== | + | |
| There are 2 ways to add a user: ''useradd'', and ''adduser''. With the first, you specify the username and all the settings on the command-line. The second walks you through the process, asking you all the necessary questions. | There are 2 ways to add a user: ''useradd'', and ''adduser''. With the first, you specify the username and all the settings on the command-line. The second walks you through the process, asking you all the necessary questions. | ||
| Line 10: | Line 8: | ||
| For ''useradd'', a command similar to the following should be used: | For ''useradd'', a command similar to the following should be used: | ||
| <code rootshell> | <code rootshell> | ||
| - | useradd -m -u 10999 -g sluugusr -c 'John Doe' johndoe | + | useradd -m -u 10999 -g useracct -G bronze -s /bin/bash -c 'John Doe' johndoe |
| </code> | </code> | ||
| - | To keep uids synched between the 2 (and possibly 4) systems, you must manually inspect /etc/passwd on each system to find the next available UID common to all systems. Then use this on the command to add the user on each system. Add users to all systems at the same time since it is easy to forget to do this later. All UID and GID numbers for accounts created must be over 10000 to avoid conflict with any predefined UID/GID numbers on future systems. Don't use group "users" since the GID changes from system to system. | + | To keep uids synched between the 2 (and possibly 4) systems, you must manually inspect /etc/passwd on each system to find the next available UID common to all systems. Then use this command to add the user on each Linux system. Add users to all systems at the same time since it is easy to forget to do this later. Use the same shell and shell path on all systems. Use the same UID, GID, secondary groups, GECOS (-c) information, etc. All UID and GID numbers for accounts created must be over 10000 to avoid conflict with any predefined UID/GID numbers on future systems. Don't use group "users" since the GID changes from system to system, use "useracct". Group numbers not related to individual accounts should be in the range 11000 to 11999. |
| Conflicts and inconsistencies as of July 2006: | Conflicts and inconsistencies as of July 2006: | ||
| Line 20: | Line 18: | ||
| * Account majordomo is only defined on bud. | * Account majordomo is only defined on bud. | ||
| - | TODO: Default groups. | + | ===== Groups - Debian ===== |
| - | + | ||
| - | + | ||
| - | ===== Groups ===== | + | |
| These groups seem to be important in Debian: | These groups seem to be important in Debian: | ||
| Line 44: | Line 39: | ||
| In addition, we've defined these groups (mainly grabbed from Michelob's /etc/group file): | In addition, we've defined these groups (mainly grabbed from Michelob's /etc/group file): | ||
| - | ^Group^Function| | + | ^Group^GID^Function| |
| - | |wheel|We've got it set up so these folks can sudo without a root password.| | + | |wheel||We've got it set up so these folks can sudo without a root password.| |
| - | |users|Default group that all users should belong to.| | + | |users||Default group that all users should belong to.| |
| - | |newslett|Not sure if it's used; only member is editor.| | + | |newslett||Not sure if it's used; only member is editor.| |
| - | |steercom|Ad-hoc list of Steering Committee attendees, who can access steercom directory on Michelob.| | + | |steercom||Ad-hoc list of Steering Committee attendees, who can access steercom directory on Michelob.| |
| - | |webhead|Users who have write access to our web sites.| | + | |webhead||Users who have write access to our web sites.| |
| - | |majordom|Used for mailing list management; ''lists'' account is included.| | + | |majordom||Used for mailing list management; ''lists'' account is included.| |
| + | |useracct|11025|Accounts for real live users, as opposed to system accounts, shared accounts, etc.| | ||
| + | |platinum|11111|Members who have paid for the Platinum membership level.| | ||
| + | |gold|11112|Members who have paid for the Gold membership level.| | ||
| + | |silver|11113|Members who have paid for the Silver membership level.| | ||
| + | |bronze|11114|Members who have paid for the Bronze membership level.| | ||
| TODO: Create groups for: | TODO: Create groups for: | ||
| - | * a group for each paid account level (eg. gold/silver) | ||
| * users who have paid up for the current year (paid2006, etc.) | * users who have paid up for the current year (paid2006, etc.) | ||
| + | * Since we're now renewing memberships year-round, this no longer makes sense. | ||
| + | * We should probably have accounts expire when the renewal is due. | ||
| + | * We should have the passwords expire every 90 days, at the least. | ||
| + | * Although we need to allow users to change their passwords on Bud before we do that. | ||
| * voting members, as defined by our articles of incorporation / by-laws | * voting members, as defined by our articles of incorporation / by-laws | ||
| + | * Doesn't make sense, since that's not used for anything except voting, and changes every year. | ||
| * officers | * officers | ||
| * board members | * board members | ||
| * "administrative" accounts, which are accounts used for SLUUG business, not individual use | * "administrative" accounts, which are accounts used for SLUUG business, not individual use | ||
| - | ===== Adding Groups ===== | + | ===== Adding Groups - Debian ===== |
| As with users, there are 2 ways to add a group: ''groupadd'', and ''addgroup''. | As with users, there are 2 ways to add a group: ''groupadd'', and ''addgroup''. | ||
| + | |||
| + | <code rootshell> | ||
| + | groupadd -g gid groupname | ||
| + | </code> | ||
| TODO: Adding users to groups. | TODO: Adding users to groups. | ||
| Line 69: | Line 77: | ||
| TODO: Adding sudoers. What groups should administrators be in? So far, it looks like ''wheel'' will suffice. | TODO: Adding sudoers. What groups should administrators be in? So far, it looks like ''wheel'' will suffice. | ||
| - | |||
| ===== Using a User Account ===== | ===== Using a User Account ===== | ||
| Line 75: | Line 82: | ||
| TODO: Add info about how they can change their settings. Especially things like chfn, chsh, .forward, .profile, .bashrc, passwd, etc. | TODO: Add info about how they can change their settings. Especially things like chfn, chsh, .forward, .profile, .bashrc, passwd, etc. | ||
| - | This should go on a a user documentation page, not a "build" page. | + | This should go on a [[../server_access|user documentation page]], not a "build" page. |
| ===== Migrating User Accounts ===== | ===== Migrating User Accounts ===== | ||
| Line 98: | Line 105: | ||
| * "webhead" on AIX at UID 600, GID 80 - On debian "www-data" is UID and GID 33. | * "webhead" on AIX at UID 600, GID 80 - On debian "www-data" is UID and GID 33. | ||
| * The home directory for www-data (/var/www) is not being used for the SLUUG web site, on bud it is being put in /home/web. | * The home directory for www-data (/var/www) is not being used for the SLUUG web site, on bud it is being put in /home/web. | ||
| - | |||
| ==== What to change as preparation for the move: ==== | ==== What to change as preparation for the move: ==== | ||
| === Group/GID changes on old systems: === | === Group/GID changes on old systems: === | ||
| - | * Change group "steercom" from GID 35 to 10035, including files owned by it. | + | * Change group "steercom" from GID 35 to 11035, including files owned by it. |
| - | * Change group "users" from GID 25 to 10025, including files owned by it. | + | * Change group "users" from GID 25 to 11025, including files owned by it. |
| - | * Includes changing GID of all users in 25 to 10025. | + | * Includes changing GID of all users in 25 to 11025. |
| * Or change all individual users to their own group? | * Or change all individual users to their own group? | ||
| - | * Create new group "sluugusr" at GID 10025, after "users" in the file. | + | * Create new group "useracct" at GID 11025, after "users" in the file. |
| * Create new group "users25" at GID 25 for reference, no members. | * Create new group "users25" at GID 25 for reference, no members. | ||
| Line 114: | Line 120: | ||
| * Renumber 7 existing accounts with a UID in the 100-299 range, including files owned by them. | * Renumber 7 existing accounts with a UID in the 100-299 range, including files owned by them. | ||
| - | === User/UID changes on new systems: === | + | === Software preparation on new systems: === |
| - | * Rename 6 installation accounts with the same name as an existing user account. Do not change UID or GID number. | + | * Install ksh93, tcsh, and csh using the procedure on the [[misc]] page. |
| + | |||
| + | * Also install rsync for cross-system backups. Documented on the [[misc]] page. | ||
| === Group/GID changes on new systems: === | === Group/GID changes on new systems: === | ||
| * Create new group "nobody4g" at GID 4294967294. | * Create new group "nobody4g" at GID 4294967294. | ||
| * Or create new group "nobody64k" at GID 65533 and new group "nobody4g" at GID 4294967294. | * Or create new group "nobody64k" at GID 65533 and new group "nobody4g" at GID 4294967294. | ||
| - | * Create new group "steercom" at GID 10035. | + | * Create new group "steercom" at GID 11035. |
| - | * Create new group "sluugusr" at GID 10025, before "users". | + | * Create new group "useracct" at GID 11025, before "users". |
| - | * Change GID of existing group "users" to 10025. | + | * Change GID of existing group "users" to 11025. |
| - | === Other premigration actions on bud and budlight: === | + | <code> |
| - | * Install ksh93 using aptget. Add sym links for path variations and add to /etc/shells. | + | groupadd -g 4294967294 nobody4g |
| - | * Also install rsync for cross-system backups. | + | groupadd -g 65533 nobody64k |
| + | groupadd -g 11035 steercom | ||
| + | groupadd -g 11025 useracct | ||
| + | groupmod -g 11025 -o users | ||
| + | Edit /etc/group and /etc/gshadow. Move "useracct" just before "users". | ||
| + | </code> | ||
| + | When tried 01/30/08 on the reloaded systems, unable to add the group with GID 4294967294 because the groupadd command failed with error message "invalid numeric argument '4294967294'". This worked before the systems were reloaded. | ||
| + | === User/UID changes on new systems: === | ||
| + | * Rename 6 installation accounts with the same name as an existing user account. Do not change UID or GID number. For the reloaded systems, there are different accounts on each system, and the decision was to not rename them, but to not copy them from michelob and change the UID of the existing accounts. So this step was not done on the reloaded systems. | ||
| + | <code> | ||
| + | - Repeat for each account: | ||
| + | acct=____ | ||
| + | usermod -l ${acct}inst -d /home/${acct}inst ${acct} | ||
| + | groupmod -n ${acct}inst ${acct} | ||
| + | mv /home/${acct} /home/${acct}inst | ||
| + | + Cron and at jobs | ||
| + | ls -lR /var/spool/cron/ | grep ${acct} | ||
| + | mv /var/spool/cron/crontabs/${acct} /var/spool/cron/crontabs/${acct}inst | ||
| + | + Mail spool (Taken care of by usermod) | ||
| + | ls -l /var/mail | grep ${acct} | ||
| + | mv /var/mail/${acct} /var/mail/${acct}inst | ||
| + | chown ${acct}inst /var/mail/${acct}inst | ||
| + | + Misc | ||
| + | grep ${acct} /etc/aliases | ||
| + | grep ${acct} /etc/group # Taken care of by usermod | ||
| + | grep ${acct} /etc/sudoers | ||
| + | ps -ef | grep ${acct} | egrep -v 'ps|grep' | ||
| + | + Mailing lists | ||
| + | = Not installed yet. | ||
| + | + Personal web pages | ||
| + | = Not installed yet. | ||
| + | - Edit /etc/group and: | ||
| + | + Make a backup first (or already done above). | ||
| + | + For the wheel group, duplicate each account being renamed | ||
| + | with the old and new name. | ||
| + | + Also add one account to the wheel group on budlight that is | ||
| + | listed on bud, but not budlight. | ||
| + | + Put them in the same order on both systems for comparison. | ||
| + | + For other groups, such as lugs, remove the "inst" from the accounts. | ||
| + | </code> | ||
| ==== Do the migration: ==== | ==== Do the migration: ==== | ||
| Line 133: | Line 180: | ||
| === Migration actions: === | === Migration actions: === | ||
| * Extract information from normal and shadow passwd files on michelob. | * Extract information from normal and shadow passwd files on michelob. | ||
| + | <code> | ||
| + | work_base="/home/yourself/xfer/user_mig" # On michelob/dark | ||
| + | pgm_base="${work_base}" # On michelob/dark | ||
| + | in_data_dir="${work_base}/`hostname`" # On michelob/dark | ||
| + | out_data_dir="${in_data_dir}" # Kludge | ||
| + | mkdir "${in_data_dir}" "${in_data_dir}/security" "${out_data_dir}" | ||
| + | cp -p /etc/passwd "${in_data_dir}"/passwd | ||
| + | cp -p /etc/security/passwd "${in_data_dir}"/security/passwd | ||
| + | chown -R yourself "${in_data_dir}" | ||
| + | </code> | ||
| * Filter and translate to Debian format. | * Filter and translate to Debian format. | ||
| + | <code> | ||
| + | "${pgm_base}"/odm-comb.pl \ | ||
| + | < "${in_data_dir}"/security/passwd \ | ||
| + | > "${out_data_dir}"/security-passwd-comb | ||
| + | "${pgm_base}"/filter_passwd.pl \ | ||
| + | 2>&1 | tee "${work_base}"/filter_passwd.log | ||
| + | </code> | ||
| + | The code is documented on [[filter_passwd.pl]] and [[odm-comb.pl]]. | ||
| * Add to normal and shadow passwd files on bud and budlight. | * Add to normal and shadow passwd files on bud and budlight. | ||
| + | <code> | ||
| + | # - Upload to /home/yourselfinst/xlated on each system: | ||
| + | + The three generated files in the xlated directory. | ||
| + | + make_home_dir (Put in xlated directory). | ||
| + | # - Make backups of passwd and shadow .... | ||
| + | stamp=`date '+%y%m%d-%H%M'` | ||
| + | backup_dir="/home/yourselfinst/user_mig-backup-$stamp" | ||
| + | mkdir "${backup_dir}" | ||
| + | chmod 700 "${backup_dir}" | ||
| + | cp -p /etc/passwd /etc/shadow /etc/group /etc/gshadow "${backup_dir}" | ||
| + | # - Add to normal and shadow passwd files on bud and budlight. | ||
| + | export work_base="/home/yourselfinst/xlated" # On bud/budlight | ||
| + | cd ${work_base} | ||
| + | cat passwd-additions >> /etc/passwd | ||
| + | cat shadow-additions >> /etc/shadow | ||
| + | </code> | ||
| * Create empty home directories for each account. | * Create empty home directories for each account. | ||
| + | <code> | ||
| + | sh home_dir-additions \ | ||
| + | 2>&1 | tee "${work_base}"/home_dir-additions.log | ||
| + | </code> | ||
| * Inform users of status. | * Inform users of status. | ||
| Line 152: | Line 237: | ||
| Accounts and groups will be taken from michelob since it is the primary user system, though the main difference between michelob and dark is some user passwords and minor details. The same user accounts are on both. | Accounts and groups will be taken from michelob since it is the primary user system, though the main difference between michelob and dark is some user passwords and minor details. The same user accounts are on both. | ||
| + | |||
| + | ====== Solaris ====== | ||
| + | |||
| + | ===== Adding a new user ===== | ||
| + | |||
| + | Coordinate account name, UID, GID, etc. with other systems as detailed [[#adding_users - debian|above in Adding Users]]. | ||
| + | |||
| + | Create the personal group if that is being used. For that, the GID is the same as the UID. | ||
| + | |||
| + | <code> | ||
| + | groupadd \ | ||
| + | -g GID \ | ||
| + | ACCOUNT_NAME | ||
| + | </code> | ||
| + | |||
| + | Create the account. | ||
| + | |||
| + | <code> | ||
| + | useradd \ | ||
| + | -u UID \ | ||
| + | -g GID \ | ||
| + | -c "GECOS USER NAME" \ | ||
| + | -s /PATH/TO/SHELL \ | ||
| + | -d /export/home/ACCOUNT_NAME \ | ||
| + | -m \ | ||
| + | ACCOUNT_NAME | ||
| + | </code> | ||
| + | |||
| + | Make the home directory accessible only by the user. | ||
| + | |||
| + | <code> | ||
| + | chmod go= /export/home/ACCOUNT_NAME | ||
| + | </code> | ||
| + | |||
| + | Set the initial password, force a password change at the next login, check status. | ||
| + | |||
| + | <code> | ||
| + | passwd ACCOUNT_NAME | ||
| + | passwd -f ACCOUNT_NAME | ||
| + | passwd -s ACCOUNT_NAME | ||
| + | </code> | ||
| + | |||
| + | ===== Other user maintenance ===== | ||
| + | |||
| + | See the ''listusers'', ''usermod'', and ''userdel'' commands | ||
build/users.1153938248.txt.gz · Last modified: 2006/08/14 13:04 (external edit)
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
