User:2017ewang

From Livedoc - The Documentation Repository
Jump to: navigation, search

Hi! I'm Eric Wang! I am one of the 2016-2017 Ion maintainers and the creator of the Director website management interface.

 Page describes typeCriticality
DirectorMachineProduction
Mysql1MachineProduction
OpenvpnMachineDevelopment

Helpful Guides

Useful Commands

Kerberos

To gain root on machines with Kerberos, run:

kinit <username>/root

To give someone else root access to a machine with Kerberos, you will need to modify the /root/.k5login file on the machine.

Users may not be able to login to machines if they are not in the allaccess group, or the individual group for the machine. The list of groups that can access a machine is usually located in /etc/security/access.groups.

To gain AFS admin powers, run:

kinit <username>/admin
aklog

To list your current login status, run:

klist

Account Troubleshooting

Nonexistent AFS Users

If there are users with accounts in LDAP, but their AFS user account is gone, you can use the following script to recreate AFS users based on LDAP. The script requires you to pass in an LDAP group as the first argument (ex. 2017, 2018, staff).
#!/bin/bash

declare -A array

for x in `pts listentries | cut -f1 -d' '`; do
    array[$x]=1
done

ldapsearch -h openldap1 -E pr=100/noprompt -Y GSSAPI -b "ou=$1,ou=students,ou=people,dc=csl,dc=tjhsst,dc=edu" "objectclass=*" uid uidNumber | grep "^uid" | while read -r ONE; do
    read -r TWO
    AFS_USERNAME="${ONE##* }"
    AFS_UID="${TWO##* }"
    if [[ ${array[$AFS_USERNAME]} ]]; then
        # echo "User exists with $AFS_USERNAME and id $AFS_UID"
        true
    else
        pts createuser -name $AFS_USERNAME -id $AFS_UID
        echo "Created user $AFS_USERNAME with id $AFS_UID"
    fi
done

Email Issues

First, check to see if the user has an account in LDAP. If not, follow the individual account creation guide on the Account provisioning page.

Check to make sure that the user has the correct permissions in their home directory. You can do this by sshing to casey (the mail server), gaining root access, and going to /mnt/mail/current/<username>. The folder, as well as its sub folders, should be owned by the user that the folder is named after.

Website Authentication with PAM and Nginx

First, you need to install nginx-full on Ubuntu/Debian distibutions. Just installing nginx doesn't contain the plugins required to set up PAM authentication.

You will then need to enable the PAM nginx module. You can add the following line to /etc/nginx/nginx.conf, outside of any blocks.
load_module modules/ngx_http_auth_pam_module.so;
You will then want to edit the server nginx configuration file that requires authentication, probably found in /etc/nginx/servers.d/. Inside the location block you want to protect, put the following lines:
auth_pam "Enter CSL or LOCAL credentials -- access restricted; if you would like access email sysadmins@tjhsst.edu.";
auth_pam_service_name "web_auth";
Next, go to /etc/pam.d/ and create a file called web_auth (this depends on what you put for auth_pam_service_name). Put the following in the file:
auth    [success=3 default=ignore]  pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]  pam_krb5.so minimum_uid=1000 realm=LOCAL.TJHSST.EDU
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass

# here's the fallback if no module succeeds
auth  requisite           pam_deny.so

auth  required            pam_listfile.so onerr=fail item=group sense=allow file=/etc/web_auth/group.allowed

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth  required            pam_permit.so
The first line of the file authentications with CSL authentication. If that fails, LOCAL authentication is tried. If that fails, plain unix authentication is tried. If all three methods fail, the authentication fails. The pam_listfile.so line only allows certain groups to login. If the user is not in the group listed in /etc/web_auth/group.allowed, then authentication fails. Otherwise, authentication succeeds and the user is allowed to view the page. After you create a file called /etc/web_auth/group.allowed with the groups you want to allow in it, the authentication should be successfully set up.