Make User Accounts

New LDAP account

login  hepcms-henrietta.umd.edu

edit  newUser.ldif  

change  uid (first line) , cn, sn, uid, home directory,  uidNumber (increase by 1 from the previous one) and email.

ldapadd -x -D "cn=admin,dc=privnet,dc=local" -W -f newUser.ldif

ldappasswd -H ldap://hepcms-henrietta.umd.edu -x -D "cn=admin,dc=privnet,dc=local" -W -S "uid=jmunshi,ou=people,dc=privnet,dc=local"

NIS Account Creation /Management           

If there is a new account requested:

• Only for CMS HEP (Sarah Eno, Andris Skuja, Alberto Belloni, Drew Baden), CMS Heavy Ion (Alice Mignerey's group), UMD theory (Raman Sundrum's group), and for Higgs Honors class taught by Shabnam Jabeen and Sarah Eno (those accounts for the duration of the class and not longer)

• Can get special permission for CMS colleagues offsite, talk Alberto, but we prefer they use grid tools and not local accounts to access CMS shared files

• If you have an email request that seems legitimate, it could still be a social hack, please confirm with a professor/graduate student/postdoc in the above groups as well as looking up that person on the UMD directory (note that occasionally postdocs are slow to show up in the directory)

How to create an NIS account

The scripts to make new accounts are in /root/scripts_accounts/ on hepcms-hn.umd.edu

Add Users

1. 1. 1. Log into the head node (HN) (hepcms-hn.umd.edu)

      2. User name must be all  lowercase

          Run the script MakeAccount.sh

1. 1. 2. 1. cd scripts_accounts

         2. ./MakeAccount.sh [usernames] [password]  # use "" with multiple names 

              Make the user and give them a first password(it can be anything, doesn't matter since they have to change it), and set them required to change it upon first login (if they are a theory user do -g theory):

         Alternatively do step by step (for theory account use group "theory")

1. 1. • export FULLNAME=""FullName""

      • export USERNAME=username

      • useradd -s /bin/bash -g users -c  "${FULLNAME}"  ${USERNAME}

      • passwd  ${USERNAME}   #  (may need it first time???)

      • chsh  ${USERNAME}   #   /bin/bash   (change default shell)

      • chage -d 0 ${USERNAME}

      • cd /var/yp; make 

      • ypmatch   ${USERNAME}  passwd

      • chmod  a+rx  /home/${USERNAME}      # give all people (group/others)  search access 

• • • Anytime you make changes to the main NIS database of users (password, new users, etc.), update the maps:

             cd /var/yp; make

        ypmatch username passwd   #Check is user entery is correct in database.      

        Make /data/users/  Directory 

• mkdir /data/users/${USERNAME}

• chown ${USERNAME}:users /data/users/${USERNAME}

1. 1. • Only if requested, make an SE area in /hadoop (See below for instructions)

 Document new user

• • • document the new user in our .csv file (so they can get sysadmin emails) and generate text for a welcome email 

    • The following script should now automatically run as part of /root/scripts_accounts/MakeAccount.sh 

    • To write to file, ensure that you have entered No when asked to add a new user, and not aborting before that

    • Would you like to add a new user (Y/N)? N
      
      The following users have been added:
      xxxxx
      
      
      Write new users to output file '/root/cronscripts/hepcms_Users.csv' (Y/N)? Y
      <Writing to output file '/root/cronscripts/hepcms_Users.csv'>

1. • • Here is the manual command:

       • cd /root/scripts_accounts

       • python AddNewUser.py

     • group examples: "theory" "HIN" (heavy ion) "Fall2015" (Higgs class), the default is CMS HEP, so no group needs to be specified 

     • Generate welcome email text you can COPY/PASTE into your mail program, see options here: python pyNewUserInstructions.py --help

       • • Note that the python script may not be able to handle special characters in the password properly, so make sure it put information in correctly, use for instance: --passwd="Special&Pass"

         • As a side note you can see how this .csv file is used elsewhere: python SendMail.py --help, and python parseUsers.py --help

How to change the password:

If you have an email request, ensure that this is a true request and not a hacked account or a social hack, try to make phone/voice contact with the user if possible

1. 1. 1. From ANY machine on the cluster as root (su -) or sudoers (sudo -i)

       yppasswd username

       chage -d 0 username  

       cd /var/yp; make

1. 1. 2. This should automatically update, if for some reason it doesn't, you can make changes on the head node as root, and update the NIS maps:

         cd /var/yp; make

         In case of error in changing password due to chfn: 

• • • You will get an error in the HN /var/log/messages like this:

    • ONLY for this problem, on the HN (as root su -), use system-config-users to edit the password by hand. Be very careful, a lot of account destruction can be done with this program

    • Then re-make the NIS database with this comment (on the HN as root su -): 

cd /var/yp; make

   How to remove a user:

       Not yet documented, please consider data retention policies (my general guideline is once the proofs have been submitted to the journal and you've followed experimental guidelines in data retention, you can delete the files). Also consider sometimes users use things in other people's areas (like the geant files in /data/users/jtemple)

       userdel -r username

       cd /var/yp; make

• • • For the following two areas which won't get automatically moved, please consider other users may share files made by one user in these areas. Additionally, there might be a PhEDEx registered dataset in a user's private hadoop SE area!

    • Don't forget that they will have an area in /data/users/username

    • They might also have an area in /mnt/hadoop/cms/user/username, and an associated grid/CERN certificate account

IMPORTANT: After every change to NIS account 

hepcm-hn: cd /var/yp; make

How to change ownership of a directory

 chown -R username:  directoryName

 cd /var/yp; make; 

just to be sure everything’s in sync for NIS(edited)  to make them properly owned

Change usergroup of a user

 chgrp -R users /home/jabeen

Change user defailt shell

  ypchsh 

 Add a sysadmin to the sudoers file and implement sudo on an individual node:

• • • https://www.linux.com/learn/tutorials/306766:linux-101-introduction-to-sudo

    • Also (see sudoers here: https://sites.google.com/a/physics.umd.edu/tier-3-umd/commands)

    • On that specific node, as root ("su -" OR "sudo -i" ) add the user username to the "wheel" group. 

usermod -aG wheel username   (add to the group)

gpasswd -d username wheel      (remove from the group)

• • • Then on individual node where you want to give the user access use visudo to edit /etc/sudoers file (be very careful because you can mess up the system with changes in this file)

    • Make sure to use visudo, since it will check to make sure that the sudoers file is properly formatted.

    • visudo

• • find the following two lines

    • ## Allows people in group wheel to run all commands

    • # %wheel ALL=(ALL) ALL sudoers

• move your curser on the # before %wheel and delete # by pressing x

• Alternatively, you can press insert to go into editing mode, and use backspace to erase the #

• save and exit by typing (esc  can look up vi text editor commands if need be)      :x

  • It should look like this now for that line: %wheel ALL=(ALL) ALL

  • make sure you are editing it as su - otherwise the changes do not save.

TESTING PHASE of sudoers:

• • • Exit out of root, and log in as your regular username (the one used with usermod -aG wheel username)

    • Test this (may not work right away -- see below)

• groups

• sudo su -   It appears that command "sudo -i" works instead.

  • • The command groups should show you being in the group users, and wheel

    • You will be warned, and you should now have root access *on that node only*. NIS doesn't sync sudo in the current setttings.

      • The command sudo tells unix to run a single command as root, in this case the su - will elevate you to root permanently, thus allowing you to enter in more commands as root

      • Enter in your user password, and you should see a # instead of $ indicating you are currently root

      • Note (6 Oct 2015): I wasn't able to get the su USERNAME - command to work, I successfully added "belt" to the wheel group on hepcms-in2, and successfully edited /etc/sudoers (with visudo) as root to have: 

      • %wheel ALL=(ALL) ALL

      • And still sudo whoami doesn't work as belt on hepcms-in2. No idea why. (but it is apparently ok!)

      • http://linuxpoison.blogspot.com/2008/12/configuring-sudo-and-adding-users-to.html

How to setup SE hadoop/grid account with grid map file:

1. 1. 1. Make a new user account, with HepcmsUsername_g in the (default) users group, it's not a standard login, so we make it with /bin/true

      2. useradd -g users -c "HepcmsUsername grid user" -n HepcmsUsername_g -s /bin/true

      3. Note that we prefer not to have usernames with capitalization, it's indicated in this section only for your readability

      4. There's no password since it's not a login account, so we proceed to sync the NIS maps anyway

         • Anytime you make changes to the main NIS database of users (password, new users, etc.), update the maps:

         • cd /var/yp; make

      5. Then make their area on hadoop, as root on any node (maybe ideally on hepcms-namenode? maybe should use hadoop dfs commands? don't know for sure, it worked like this)

         • cd /mnt/hadoop/cms/store/user

         • mkdir CERNUsername

         • chown HepcmsUsername_g:users CERNUsername

      6. Get CERN DN for the user. You can either ask them to run the voms-proxy-info command and send you the output or get it directly from here:

         •  https://lcg-voms2.cern.ch:8443/voms/cms/user/search.action

         • edit  /data/osg/scripts/grid-mapfile on any node where /data is mounted. This is the file with grid user mapping and is linked in every node as /etc/grid-security/grid-mapfile  

7. Send the following information to the user:

Your storage space on the UMD HEP T3 SE has been created as /store/user/username

Files are written to this space primarily with CRAB jobs, for documentation, see:

              https://twiki.cern.ch/twiki/bin/view/CMSPublic/SWGuideCrab 

Ownership of these files is via a second user account linked to your grid certificate, so you will not be able to move, delete, or rename these files with your regular login, only through SE commands. This is the only difference you will see from a normal local filesystem. Some examples are given here: 

https://sites.google.com/a/umdt3public/user-guide/file-transfer-from-to-the-cluster#TOC-T3_US_UMD-hadoop-examples:

 If you have difficulty using this area, please contact the sysadmins. 

Keep in mind that hadoop is internally replicated, so the disk space available is half of what is shown with "df -h". Additionally, one R510 node can store 12TB (after replication), so it is best to keep at least 24TB (before replication) free in case one node goes down to protect the data. 

You are strongly encouraged to retain files of 1GB or larger for the health of the hadoop system.

For other information:

https://sites.google.com/a/umdt3public/user-guide

          useradd -g users -c "CMS grid pool account" -s /bin/true -n uscms0410