Service Desk Knowledgebase: User Accounts and Groups
This is the User Accounts and Groups content page of the CL Wiki Service Desk Knowledgebase. Its purpose is to provide information to the Service Desk team on how to handle problems and requests about this CL service. If you are involved with the provision of this CL service please feel free to add to the knowledge about that it.
If CL staff need to tell the Service Desk team about problems with this service please email
sys-admin-aside@cl.cam.ac.uk.
Return to the Service Desk Knowledgebase SERVICE PORTFOLIO
Key Service Description & URLs
- An Introduction to the Computing Facilities at the Computer Laboratory
- Computer Laboratory News (Twitter use @UC_CL_SysAdm)
CL Customer Documentation
- Password Complexity & Linux "Authentication token manipulation error"
- The New Person Details Form (for PI or host of all new staff and long-term visitors) is at https://dbwebserver.ad.cl.cam.ac.uk/Administration/Visitors/ArrivalDetails.aspx
CL SysInfo Documentation
- http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Users - User management tasks
People
There's also:
- http://www.lookup.cam.ac.uk/
- http://www.cl.cam.ac.uk/~CRSid
- Staff and Fellows
- Students and Assistants
- Recent Alumni (3 years)
- Visitors (Admin Database Notes)
- Staff List (Admin Database Notes)
- Jackdaw
Underpinning Services
- ??? - Any supporting or underpinning services
Customer-base for this Service
- All students and staff of the Computer Laboratory
Costs
- Free to all current students and staff of the Computer Laboratory
SLA
- N/A
Service Desk Call Handling Procedure
- RT tickets can be escalated by changing the Queue to backoffice with the Owner set to Nobody and the Status as new. Tell the requestor:
I am passing this request over to the experts who, I'm sure, will be in contact shortly.
Accounts
CL Account creations are carried out via the SCG website, they normally are added automatically via the arrivals process.
Note that Reception can do UIS account requests.
Email: "Account creation request for <CRSid> arriving <date>" or "Outstanding accounts to create for people arriving" or an RT ticket requesting an account
Sent into RT from <gt19@cl.cam.ac.uk> from https://dbwebserver.ad.cl.cam.ac.uk/Administration/Visitors/ArrivalDetails.aspx
If this is the first time you have carried out this procedure, then first set the printer to pear and click Save in the configuration settings.
Either:
- Copy CRSid and go to https://dbwebserver.ad.cl.cam.ac.uk/scg/UserAdmin/UserAdministration.aspx and use Find User: CRSid [Lookup].
- If no matching record click [Add New User], paste CRSid
or in the email:
- Click https://dbwebserver.ad.cl.cam.ac.uk/SCG/UserAdmin/UserAdminNewUser.aspx?crsid=CRSid to create new account
and then:
- With the CRSid in Enter CRSID for new User, click [Validate] to pull in details. If the details are not present or you do not have a valid crsid then move the ticket to the Back Office queue.
- Check Full Name entered
- Anyone in an Outstanding accounts to create for people arriving email will be an incoming person and should be on the office list at the point in time the discretionary status comes up for review so set Discretionary Use Status: to Account for new user who should be on office list by review date and click [Create Account] (with Print form? ticked). Other creation requests on a RT ticket may require an alternative Discretionary Use Status. Make sure you choose the correct one and fill in a appropriate date rather than just accept the default and add the RT ticket number to the comment field.
- Update RT ticket with comment "Account creation started." and leave the RT ticket on the sysadmin queue with the status of "Open" - it is then clear that it is being worked on and awaiting a "Part 2"
- The process then updates the AD, email forwarding, LDAP entries and created the home directory - the account should be live within about 30 mins.
- After about an hour login to a Unix machine and connect to the home directory /homes/crsid to check it has completed. If it has then close the ticket replying to the requestor if appropriate.
Email: "Outstanding equipment requests for arriving visitors/staff"
Sent into RT from <gt19@cl.cam.ac.uk> as an automated periodic check to ensure things don't get missed e.g.
Please fulfil request(s) which have already been logged in RT. requestID Sponsor Person Starting ----------- -------- -------------------- ------------ 1008 as2330 Arcia-Moret 05/05/2015 1029 avsm2 Laurent 01/06/2015 1058 fms27 Brown 06/07/2015 969 rnw24 Schwemmer 11/05/2015 1063 rnw24 Pearce 24/06/2015 (5 rows affected)
Copy each requestID in turn and plug into the URL
https://dbwebserver.ad.cl.cam.ac.uk/Administration/Visitors/VisitorDetails.aspx?ID=1063
Copy the RT# from the RT_Ticket field.
If the RT_Ticket field has not been updated) copy the person's surname and go to RT's Simple Search at https://rt.cl.cam.ac.uk/Search/Simple.html and search for it.
If you get Found 0 tickets click Edit Search and under Current search click on the first ( of
( Status = 'new' OR Status = 'open' OR Status = 'stalled' ) AND ( Subject LIKE 'Pearce' )
and click the [Delete] button to just search for
( Subject LIKE 'Pearce' )
and then click Show Results to find the RT ticket.
When the original RT ticket is found use Link & Refers to link through to the original ticket in RT and work in the original ticket putting only a summarizing comment in the "Outstanding equipment requests for arriving visitors/staff" ticket. Go through the associated RT tickets and see if any equipment requests are stuck. It may be that the database has just not been updated and the equipment has been provided and the VLAN configured. So update the database as appropriate. The Equipment_state field requires OK Inventory #???? MachineName? to complete it and stop it being picked up as a "Outstanding equipment requests for arriving visitors/staff".
Part II project accounts
Part II project students _never_ "arrive" as full members of the department, so the default discretionary entry "new" status is not plausible for this case. You need a proper discretionary table entry for them, not a temporary placeholder. What is needed here is to set the status to "project" and the review date to be after the end of the academic year after the exams are out of the way - normally choose something like 1st July.
Finding old backups
Old snapshots are help on the backup file server called echo. On a Linux machine the pattern /a/echo-vol1/.snapshot/*/homes*/crsid will enumerate any that exist for a particular user.
Quota Increases
For individuals
Approval: "Bigdisc" quotas can be increased on request up to 250Gb. Home quotas up to 100Gb. Anything else needs to be escalated as above for approval. A user's quota and usage can be checked using cl-rquota -u CRSid if they are not 'nearly full' on the file system for which they are asking for more, ascertain why they think they need it (e.g. they are about to start some work that needs lots of space) before just giving it.
- To increase a users quota go to the SCG web page
- Select User Administration
- Enter the crsid of the user into the Find User box and click Lookup
- On the 'User Details page the quota management section is on the right under the AD details.
- To modify a quota click on the Modify button next to the appropriate quota (bigdisc is on /vol/vol5/scr-1, the home on /vol/vol1/homes-?)
- On the Edit Quota page you should set the quota to the required values, add as a comment the RT ticket number and click update. You should be taken back to the User Details page with the updated quota shown.
- The quota update is processed in the background and should take effect after 15 mins.
If there is no existing Bigdisc quota then there will be a button under the quotas table to create a default entry which must then be edited to set the correct values.
If a bigdisc quota is added you must also create the directory on /anfs/bigdisc set with the uid as both owner and group and permissions to 755.
For other quota increases such as on the web server a non-default quota can only be added via the Quota web page using expert mode.
For groups
Based on the guidelines on Computer Lab RT#95305 from Graham Titmus (16/04/15)
The quotas are in the same file as the User quotas, but earlier on in the file.
Providing the requester is an SRA, it is reasonable to accept a request for a larger group quota.
- Attach to Laira as outlined in the instructions for an individual's quotas ("For individuals" following steps 1-8).
- To find which group to increase, run the command df (to see the disk mount-path). Alternatively use the command "grep group exports".
e.g. looking for group 'fluphone' reveals the shared folder as 'grp-sr11'
grep fluphone exports
/vol/vol3/grp-sr11 -sec=sys,rw=@cl_hosts:www-fluphone:www-cambridgeplus:www-duckplus,root=HOSTLIST(priv_elmer_nosquash),sec=krb5:krb5i:krb5p,rw=128.232.0.0/17 - Once you have identified the volume to increase (in this example it is grp-sr11) go to the Quota Manager web page
- Select quota type tree
- Enter the path found using df in the scope box and hit return
- Click on 'Select to edit the quota
- On the Edit Quota page you should set the quota to the required values, add as a comment the RT ticket number and click update. You should be taken back to the Quota Manager page page with the updated quota shown.
- The quota update is processed in the background and should take effect after about 15 mins.
Copy the resultant screen contents from step 2 to the end, and paste it into the RT ticket as a comment and [Save Changes].
After an increase of this size it is best to escalate to check that the filer has enough spare capacity to provide the space.
Add another comment saying "Please can someone check the space availability for this increase"
Set the Status to "New" and the Owner to "Nobody" then click on [Save Changes]
Add user to a group
Note that: "A request to add a user to a group should be supported by a member of staff in the group."
Follow the procedure at http://www.wiki.cl.cam.ac.uk/clwiki/SysInfo/HelpDesk/Users/AddGroup or select the group in the list at
https://dbwebserver.ad.cl.cam.ac.uk/SCG/UnixGroups/UnixGroups.aspx
and Enter new member: and [Add User]. Tell the requester:
This has been done but it will take a while before it becomes visible.
Reactivating cancelled Computer Lab accounts
The user should be told:
If you have a good reason why you should need continued access then you need to contact your former supervisor here and get them to agree to sponsor your account. Such sponsorship is normally only granted for continued active collaboration that requires access to resources here.
If the sponsor gets back and authorises the reactivation, the two things to do to permit his account to stay alive are to edit both the user record at the top and the discretionary entry below it in the User Administration database. If they have a discretionary users record where the Status is purgewait (if not it has to go to backoffice) then:
- Find and merge the (probable) two RT tickets
- Go to the User Administration database at https://dbwebserver.ad.cl.cam.ac.uk/SCG/UserAdmin/UserAdministration.aspx enter the CRSid into Find User and click [Lookup]
- Check under Discretionary User Details that the status is of type purgewait - if they have already been removed then just pass the RT ticket on to the backoffice queue
- Click [Edit] at the top left of the Details for user CRSid user record.
- Tick the box next to active
- Click the [Update] button
- Next click the [Edit] button under Discretionary User Details
- Change the status to ok
- Set the reviewdate set to one year form the current date
- Put the sponsor's CRSid into sponsor
- Put the RT ticket number into comment as RT#96207
- Click the [Update] button
- Get back to the user & the sponsor using RT telling them:
This has been done and a login should be possible again in the near future once the public ssh keys are again added to the recognised set. - Resolve the ticket.
If they have already been removed then pass this on to the backoffice queue.
Keeping open CL accounts for a student who is going on to a CL PhD or similar
If a sponsor requests that a student retains their CL accounts because they are going on to do a PhD the following can be used to ensure that the student's CL accounts are not closed over the summer:
- Check the sponsor is of a suitable status using https://dbwebserver.ad.cl.cam.ac.uk/Administration/HR/AllStaffStudents.aspx and [Lookup]
- Find the student's details using https://dbwebserver.ad.cl.cam.ac.uk/Administration/HR/AllStaffStudents.aspx and [Lookup]
- Click the [Create Discretionary Entry] button
- [Edit] the Discretionary User Details to include the following:
- Status: new - User will be on the staff database by the reviewdate. If the person is leaving but the sponsor asks you to keep their account alive set the Status: OK
- reviewdate: 30/10/2015 (i.e. a date just after they are due to arrive) or in case of a sponsored account a year unless told otherwise
- sponsor: CRSid of their sponsor
- comments: RT#96271
- Click [Update]
- Get back to the user & the sponsor using RT telling them:
This has been done. - Resolve the ticket.
If they have already been removed then pass this on to the backoffice queue.
Reissue Password
Piete Brooks (07/09/15)
It has been confirmed that the 'Reissue Password Form' button does not re-print the last Password Form, but resets the password, and prints a new form.
For someone who has never has a Lab account, it will make little difference. However, if the user already has a Lab account, and knows the password, trying to be helpful and using 'Reissue Password Form' will mean that they can no longer login (until they realise what has happened, and picked up the new form)!
So if the person doesn't know or has never had a Lab password:
- First go to https://dbwebserver.ad.cl.cam.ac.uk/SCG/Configuration.aspx and check your printer is set to "pear" and [Save Settings] if not.
Only then... - Go to https://dbwebserver.ad.cl.cam.ac.uk/scg/UserAdmin/UserAdministration.aspx
- Find user: CRSid and click [Lookup]
- Then click the [Reissue Password Form] button (bottom right)
- The new password form can then be picked up from CL Reception
If the person has ssh access and is not at the lab then you can do the following. Firstly cause a password reset and find the new password from the printout
crsid=their_crsid f=/tmp/.rt_ticket_number touch $f sudo chmod 400 $f sudo chown $crsid:$crsid $f sudo tee -a $f the_actual_password ^D ls -l $f
then email them to tell them the name of the file which contains their new password.
Contacts
Primary
- gt19@cl.cam.ac.uk (Goes to Graham Titmus)
- Tel: 34620
Other
Availability
- Monday:
- Tuesday:
- Wednesday:
- Thursday:
- Friday:
- Saturday: Closed
- Sunday: Closed
Additional CL Staff Resources
Hints, Tips & Know Issues
Notes on the Staff List
Vince Woodley (28/01/15)
Some Staff List Positions
- blank = no longer have Computer Laboratory status
- ACS = Advanced Computer Science (MPhil)
- Intern = Working in lab as a summer student.
- RA = Research Assistant
- RARS = Research Assistant registered for a degree
- SRA = Senior Research Associate
Categorising Keywords
- User Accounts Groups creation recreation locked out quota conference snapshots