login hepcms-henrietta.umd.edu
edit newUser.ldif
change uid (first line) , cn, sn, uid, home directory, uidNumber (increase by 1 from the previous one) and email.
ldapadd -x -D "cn=admin,dc=privnet,dc=local" -W -f newUser.ldif
ldappasswd -H ldap://hepcms-henrietta.umd.edu -x -D "cn=admin,dc=privnet,dc=local" -W -S "uid=jmunshi,ou=people,dc=privnet,dc=local"
Only for CMS HEP (Sarah Eno, Andris Skuja, Alberto Belloni, Drew Baden), CMS Heavy Ion (Alice Mignerey's group), UMD theory (Raman Sundrum's group), and for Higgs Honors class taught by Shabnam Jabeen and Sarah Eno (those accounts for the duration of the class and not longer)
Can get special permission for CMS colleagues offsite, talk Alberto, but we prefer they use grid tools and not local accounts to access CMS shared files
If you have an email request that seems legitimate, it could still be a social hack, please confirm with a professor/graduate student/postdoc in the above groups as well as looking up that person on the UMD directory (note that occasionally postdocs are slow to show up in the directory)
The scripts to make new accounts are in /root/scripts_accounts/ on hepcms-hn.umd.edu
Add Users
Log into the head node (HN) (hepcms-hn.umd.edu)
User name must be all lowercase
Run the script MakeAccount.sh
cd scripts_accounts
./MakeAccount.sh [usernames] [password] # use "" with multiple names
Make the user and give them a first password(it can be anything, doesn't matter since they have to change it), and set them required to change it upon first login (if they are a theory user do -g theory):
Alternatively do step by step (for theory account use group "theory")
export FULLNAME=""FullName""
export USERNAME=username
useradd -s /bin/bash -g users -c "${FULLNAME}" ${USERNAME}
passwd ${USERNAME} # (may need it first time???)
chsh ${USERNAME} # /bin/bash (change default shell)
chage -d 0 ${USERNAME}
cd /var/yp; make
ypmatch ${USERNAME} passwd
chmod a+rx /home/${USERNAME} # give all people (group/others) search access
Anytime you make changes to the main NIS database of users (password, new users, etc.), update the maps:
cd /var/yp; make
ypmatch username passwd #Check is user entery is correct in database.
Make /data/users/ Directory
mkdir /data/users/${USERNAME}
chown ${USERNAME}:users /data/users/${USERNAME}
Only if requested, make an SE area in /hadoop (See below for instructions)
Document new user
document the new user in our .csv file (so they can get sysadmin emails) and generate text for a welcome email
The following script should now automatically run as part of /root/scripts_accounts/MakeAccount.sh
To write to file, ensure that you have entered No when asked to add a new user, and not aborting before that
Would you like to add a new user (Y/N)? N
The following users have been added:
xxxxx
Write new users to output file '/root/cronscripts/hepcms_Users.csv' (Y/N)? Y
<Writing to output file '/root/cronscripts/hepcms_Users.csv'>
Here is the manual command:
cd /root/scripts_accounts
python AddNewUser.py
group examples: "theory" "HIN" (heavy ion) "Fall2015" (Higgs class), the default is CMS HEP, so no group needs to be specified
Generate welcome email text you can COPY/PASTE into your mail program, see options here: python pyNewUserInstructions.py --help
Note that the python script may not be able to handle special characters in the password properly, so make sure it put information in correctly, use for instance: --passwd="Special&Pass"
As a side note you can see how this .csv file is used elsewhere: python SendMail.py --help, and python parseUsers.py --help
If you have an email request, ensure that this is a true request and not a hacked account or a social hack, try to make phone/voice contact with the user if possible
From ANY machine on the cluster as root (su -) or sudoers (sudo -i)
yppasswd username
chage -d 0 username
cd /var/yp; make
This should automatically update, if for some reason it doesn't, you can make changes on the head node as root, and update the NIS maps:
cd /var/yp; make
In case of error in changing password due to chfn:
You will get an error in the HN /var/log/messages like this:
ONLY for this problem, on the HN (as root su -), use system-config-users to edit the password by hand. Be very careful, a lot of account destruction can be done with this program
Then re-make the NIS database with this comment (on the HN as root su -):
cd /var/yp; make
How to remove a user:
Not yet documented, please consider data retention policies (my general guideline is once the proofs have been submitted to the journal and you've followed experimental guidelines in data retention, you can delete the files). Also consider sometimes users use things in other people's areas (like the geant files in /data/users/jtemple)
userdel -r username
cd /var/yp; make
For the following two areas which won't get automatically moved, please consider other users may share files made by one user in these areas. Additionally, there might be a PhEDEx registered dataset in a user's private hadoop SE area!
Don't forget that they will have an area in /data/users/username
They might also have an area in /mnt/hadoop/cms/user/username, and an associated grid/CERN certificate account
hepcm-hn: cd /var/yp; make
chown -R username: directoryName
cd /var/yp; make;
just to be sure everything’s in sync for NIS(edited) to make them properly owned
ypchsh
https://www.linux.com/learn/tutorials/306766:linux-101-introduction-to-sudo
Also (see sudoers here: https://sites.google.com/a/physics.umd.edu/tier-3-umd/commands)
On that specific node, as root ("su -" OR "sudo -i" ) add the user username to the "wheel" group.
usermod -aG wheel username (add to the group)
gpasswd -d username wheel (remove from the group)
Then on individual node where you want to give the user access use visudo to edit /etc/sudoers file (be very careful because you can mess up the system with changes in this file)
Make sure to use visudo, since it will check to make sure that the sudoers file is properly formatted.
visudo
find the following two lines
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL sudoers
move your curser on the # before %wheel and delete # by pressing x
Alternatively, you can press insert to go into editing mode, and use backspace to erase the #
save and exit by typing (esc can look up vi text editor commands if need be) :x
It should look like this now for that line: %wheel ALL=(ALL) ALL
make sure you are editing it as su - otherwise the changes do not save.
Exit out of root, and log in as your regular username (the one used with usermod -aG wheel username)
Test this (may not work right away -- see below)
groups
sudo su - It appears that command "sudo -i" works instead.
The command groups should show you being in the group users, and wheel
You will be warned, and you should now have root access *on that node only*. NIS doesn't sync sudo in the current setttings.
The command sudo tells unix to run a single command as root, in this case the su - will elevate you to root permanently, thus allowing you to enter in more commands as root
Enter in your user password, and you should see a # instead of $ indicating you are currently root
Note (6 Oct 2015): I wasn't able to get the su USERNAME - command to work, I successfully added "belt" to the wheel group on hepcms-in2, and successfully edited /etc/sudoers (with visudo) as root to have:
%wheel ALL=(ALL) ALL
And still sudo whoami doesn't work as belt on hepcms-in2. No idea why. (but it is apparently ok!)
http://linuxpoison.blogspot.com/2008/12/configuring-sudo-and-adding-users-to.html
Make a new user account, with HepcmsUsername_g in the (default) users group, it's not a standard login, so we make it with /bin/true
useradd -g users -c "HepcmsUsername grid user" -n HepcmsUsername_g -s /bin/true
Note that we prefer not to have usernames with capitalization, it's indicated in this section only for your readability
There's no password since it's not a login account, so we proceed to sync the NIS maps anyway
Anytime you make changes to the main NIS database of users (password, new users, etc.), update the maps:
cd /var/yp; make
Then make their area on hadoop, as root on any node (maybe ideally on hepcms-namenode? maybe should use hadoop dfs commands? don't know for sure, it worked like this)
cd /mnt/hadoop/cms/store/user
mkdir CERNUsername
chown HepcmsUsername_g:users CERNUsername
Get CERN DN for the user. You can either ask them to run the voms-proxy-info command and send you the output or get it directly from here:
edit /data/osg/scripts/grid-mapfile on any node where /data is mounted. This is the file with grid user mapping and is linked in every node as /etc/grid-security/grid-mapfile
7. Send the following information to the user:
Your storage space on the UMD HEP T3 SE has been created as /store/user/username
Files are written to this space primarily with CRAB jobs, for documentation, see:
https://twiki.cern.ch/twiki/bin/view/CMSPublic/SWGuideCrab
Ownership of these files is via a second user account linked to your grid certificate, so you will not be able to move, delete, or rename these files with your regular login, only through SE commands. This is the only difference you will see from a normal local filesystem. Some examples are given here:
https://sites.google.com/a/umdt3public/user-guide/file-transfer-from-to-the-cluster#TOC-T3_US_UMD-hadoop-examples:
If you have difficulty using this area, please contact the sysadmins.
Keep in mind that hadoop is internally replicated, so the disk space available is half of what is shown with "df -h". Additionally, one R510 node can store 12TB (after replication), so it is best to keep at least 24TB (before replication) free in case one node goes down to protect the data.
You are strongly encouraged to retain files of 1GB or larger for the health of the hadoop system.
For other information:
https://sites.google.com/a/umdt3public/user-guide
useradd -g users -c "CMS grid pool account" -s /bin/true -n uscms0410