Unix/NFS group iepm
File used to keep track of NFS network group privs. It use the ypgroup Unix databases
The groups below are Unix groups (not netgroup) which was made available over the network by NIS (formerly YP). Les can manage unix groups via the ypgroup command.
ypmatch <group_name> group ypmatch <group_name> netgroup, e.g. 35cottrell@pinger:~>ypmatch u-network-management netgroup (-,antony,) (-,cal,) (-,cottrell,) (-,cxg,) (-,jerrodw,) (-,kmartell,)
or
ypgroup exam -group iepm Group 'iepm': GID: 2087 Comment: Last modified at Aug 2 15:20:42 2006 by jonl Owners: cal Members: akbar, cal, cottrell, cxg, fawad, hasan, iepm, jerrodw, jiri, maheshkc, rich, ytl
To add someone to a group use (Les can execute this command):
ypgroup adduser -group iepm -user pinger
# Please keep unix-admin & security notified when changes are needed, e.g. people changing function or moving etc.
#Note that people with privileges need to change their passwords at least every 9 months.
Netgroup
To see which hosts use a netgroup
Access to hosts is controlled by netgroup. Only unix-admin can add users to a netgroup (e.g. u-iepm) or change what hosts that the netgroup can access.
grep the files at /afs/slac.stanford.edu/g/scs/systems/system.info/<machine>/taylor.opts.expanded looking for the group, e.g.
136cottrell@pinger:~$grep u-iepm /afs/slac/g/scs/systems/system.info/*i*/taylor.opts.expanded /afs/slac/g/scs/systems/system.info/pinger/taylor.opts.expanded:limit_login=u-iepm
N.b. replacing *i* with * will probably result in /bin/grep: Argument list too long. Also note that as of 9/19/2013 the hosts whose access is controlled by u-iepm are: pinger
To see who is in a netgroup use the command*
netgroup <group_name>, e.g.
36cottrell@pinger:~>netgroup u-network-management
u-network-management
(-,antony,)
(-,cottrell,)
(-,gcx,)
(-,reuber,)
(-,ytl,)
or
136cottrell@pinger:~$/usr/local/bin/netgroup_adm examine -group u-iepm
notes
# Users authorized to login to all the restricted-login machines
# involved in the IEPM project. Note that cottrell is in
# u-network-management, which is part of u-scs-staff.
hosts
[]
users
["arash", "iepm", "pinger", "ytl", "saqibali", "cottrell"]
owners
["kalim"]
netgroups
[]
exit
.
pid 19732 exit 0
The u-iepm group is the one to enable users to logon to the special iepm hosts (in particular pinger.slac.stanford.edu). It can be updated by u-scs-staff that includes u-bsd-admin, u-network-management, u-security-team, u-tech-coordinators, u-unix-role-accts, u-unix-staff. The command to add someone is netgroup_adm adduser -user cottrell -group u-iepm
NFS file access
NFS file systems such as /nfs/slac/g/net/pinger are exported to netgroup from netfs02, so it is available on all machines in that group. To see the full list of machines that can access these files, you can type:
119cottrell@pinger:~>netgroup slac > ! /tmp/junk
and edit the file (/tmp/junk). The amd mountpoints are transient....they timeout when not in use. So sometimes it will work to cd to /nfs/slac/g and you will see an entry for net/pinger, but if it has timed out you may not, even on pinger (unless something runs there that keeps it constantly available). Once the mountpoint has timed out you will have to cd to the full amd mount path which in this case is /nfs/slac/g/net/pinger to get amd to remount the space. AS a rule it is always a good idea to use the full path to the nfs space, especially in scripts.
Unix/AFS groups
Group Name | Purpose | afs path | contact(s) |
|---|---|---|---|
g-scs | SVN access | /afs/slac/g/scs/net/netmon/repo/svn | Cottrell |
g-www:admin-www-iepm | www-iepm/pinger web site | /afs/slac/g/www/www-iepm | Cottrell |
iepm:iepm | Code | /afs/slac/g/scs/net/iepm-bw[/bin] | Cottrell |
To see the names of groups and privileges on a particular directory, issue the command
fs la <directory>, e.g. fs la .
or
fs la /afs/slac/g/scs/net/pinger jerrodw@pinger $ fs la /afs/slac/g/scs/net/pinger/ Access list for /afs/slac/g/scs/net/pinger/ is Normal rights: maint-pkg-netmon rlidwk g-scs rlidwka system:slac rl system:administrators rlidwka system:authuser rl
To view members of a particular group listed from 'fs la', issue the command:
pts mem <group_name>, e.g. jerrodw@pinger $ pts mem maint-pkg-netmon Members of maint-pkg-netmon (id: \-4786) are: <list of user_id's belonging to this group>
To add users to a particular group (only if you have privileges of course), issue the command
pts adduser \-group <group_name> \-user <user_id>