From Livedoc - The Documentation Repository
Jump to: navigation, search

There are basically three layers in the lab regarding authentication and authorization: Kerberos, OpenAFS, and NIS.


The lab's servers fiordland and royal (and probably magellanic soon, as well) run the lab's kerberos service for the realm CSL.TJHSST.EDU. These servers run the krb5kdc daemon, which is the MIT Kerberos5 Key Distribution Center (KDC) service. We have DNS CNAME records like kdc1 and kdc2 to point to the KDCs, so kerberos client configurations do not need to change if the KDC servers ever change.

Every user that has a CSL account has (at least) one Kerberos principal associated with them. For example, the principal for the user Andrew Deason is adeason@CSL.TJHSST.EDU. Some of the Systems Administrators also have administrative accounts that give them higher privileges, such as adeason/admin@CSL.TJHSST.EDU.

There are also other principals such as host keys and service keys which exist at our ongoing attempt to try and kerberize the lab so passwords do not have to be entered for every little thing. An explanation of host and service principals is outside the scope of this document, however, consult a guide on Kerberos for more information.


Every user in the CSL system also has an entry in the OpenAFS Protection Server. There are also a few administrative accounts, which are usually part of the system:administrators group, which allows them access to everything in the system. There also exist a few entries for some services, such as the web server that runs the main web site (www-data), and the server that runs the Intranet.


Although most AFS groups currently in the system were implemented by administrators, normal users can also create their own groups, if you run pts creategroup <username>:mygroup, replacing <username> with your username. You can then add people to that group with the command pts adduser <user> <group>, for example: pts adduser adeason adeason:mygroup. You can then use the normal fs sa command to assign permissions to the members of that group.


Note: NIS and hesiod are no longer used in the lab, LDAP now serves this purpose

Network Information Services, formerly known as Yellow Pages (which is why many commands and directories start with "yp"), is the service which maps between usernames and UIDs, and keeps track of UNIX group membership. It is basically an /etc/passwd and /etc/group file that is shared by a network of machines. All CSL users have an entry in this database, as well.

The user database function is now provided on workstations by Hesiod, which stores /etc/passwd entries as TXT records in DNS. The main advantage is that it is extremely simple to configure on clients and is very efficient (because of using DNS). /etc/group information can also be stored, but is not currently. The database can be queried by the command "hesinfo <user> passwd".

Any kind of alternate nameservice is implemented on clients via nsswitch.