Linux Administration Notes - Add New User

<< | AdminNotes | Bootloader Toggling >>

On this page... (hide)

  1.   1.  Foreman driven process
  2.   2.  Manual process
    1.   2.1  Making a new user
    2.   2.2  Samba access
    3.   2.3  Email - IMAP or aliasing
    4.   2.4  Completing the setup
    5.   2.5  Web home directories

1.  Foreman driven process

Foreman uses the foreman_simple_user module to add users to managed machines. Machines have owners, which can be groups. All users in a group are added to the system, along with their ssh keys.

Users can be added to the Foreman UI at and their SSH key can be attached. Once added to the appropriate group, e.g. PSI Group, Puppet will create the user account on every host owned by that group.

2.  Manual process

2.1  Making a new user

  1. Decide a user name for the new user. The surname is usually a good option, unless it's too long, or already been used.
  2. Choose a primary group that the user belongs to; for example, the psi group. If there is no specific group, use the generic group users. Always make sure that you specify a group when using useradd, otherwise it will fall back into making a per-user group, which is not what we want on this server.
  3. Choose the UserID Please don't let useradd just use any user-ID number; try instead to use IDs between 700 and 999. Look at /etc/passwd to see the user numbers. If you choose one that is already in use, it will simply refuse to make the user, so there is no risk.
  4. Choose the password. If the user is there with you, let him type the password. Otherwise, use apg to generate a long, strong password. Giving a very long initial password is usually a good way to make sure the user will change it soon.
# useradd -g users -u UID -n mario
# apg -m16 -M NsCL
# passwd mario
# make -C /var/yp/

2.2  Samba access

If the user needs/has the to have access to the server via Windows file sharing (SMB/CIFS), it is necessary to add him to the Samba user database, and assign a password. The Samba password is separate from the Unix password; the same considerations about strong passwords apply.

# smbpasswd -a mario

2.3  Email - IMAP or aliasing

If the user does not have a local email account, the sysadmin must set up an alias:

# vi /etc/aliases
# newaliases
# postfix reload

otherwise, the user must be added to the users_imap group; the fixUsers script will take care of the rest

usermod -a -G users_imap mario

2.4  Completing the setup

# /usr/local/sbin/

which uses this script to adjust permissions, SELinux context and to make accessory directories. Please see the script for details.

2.5  Web home directories

If the user needs to have a personal web home (please try to discourage this, suggest instead a private WikiSite), the public_html directory must have the correct SElinux context (httpd_user_content or httpd_sys_content), must be readable by apache, and the home directory must be executable by apache (but it does not need to be readable).

The fixUsers script does take care of these settings if it finds a public_html directory in the user's home.

chcon --no-dereference  -R -t httpd_user_content_t /home/mario/public_html/
chmod -R o+rX /home/mario/public_html/
chmod o+x /home/mario

<< | AdminNotes | Bootloader Toggling >>