Segolip's unit has many customers who use the HPC to analyze data from the labs. Segolip has several administrative users who are in charge of copying data to/from the HPC and into the proper customers' folders. These administrators have read/write access to the root of the Segolip data, under which they will move data to the appropriate places for their customers to access. Customers are not allowed to write in these folders, so they must use the data where it is, or copy it somewhere else in order to use it.
Customers have shell accounts and samba accounts.
Instruct Samba to keep samba passwords in sync with Unix passwords. That is, when a Samba user changes their password, their corresponding Unix password changes too.
Add or uncomment the following lines in the [global] section of Samba's config:
unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
Add the groups first so we can add users directly to their groups when we create user accounts. We create the group then create their storage folder with the proper permissions.
# groupadd icipe # mkdir /export/home/segoli/ICIPE
It is important to change the permissions so that other users cannot access the folder (o-rwx) and setgid (g+s) so that if anyone creates a file/folder there it will remain with the permissions of the group. This reduces confusion for lazy/inexperienced admins.
# chown -R segoliadmin:icipe /export/home/segoli/ICIPE # chmod o-rwx,g+s /export/home/segoli/ICIPE
To use Samba a user must also have a Unix account. Create the Unix account and add the user to any required groups before you attempt to create the Samba account.
Add the user:
# useradd mkyalo
In /etc/passwd, add the real name and group to the user's entry. See before and after:
mkyalo:x:755:755::/export/home/mkyalo:/bin/bash -- after -- mkyalo:x:755:755:Martina Kyalo,IITA:/export/home/mkyalo:/bin/bash
Add the user to the appropriate groups. For example, the above user is a part of the iita group (and that group already exists):
# gpasswd -a mkyalo iita Adding user mkyalo to group iita # id mkyalo uid=755(mkyalo) gid=755(mkyalo) groups=755(mkyalo),10003(iita)
Set the user's Unix and Samba passwords:
# passwd mkyalo # smbpasswd -a mkyalo
It is very important to synchronize the user and group information from the head node to the compute nodes. Rocks has a command for this:
# rocks sync users
This will automatically:
/etc/passwd, /etc/shadow to the compute nodes/etc/group, /etc/gshadow to the compute nodes/etc/auto.homeSet the extended ACL so that anyone in the segoliadmin group can enter and modify the directory:
# setfacl -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/
Set the default ACL so that files/folders inside the folder inherit the same extended ACL as the parent (this is the -d):
# setfacl -d -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/
View the result on one folder:
# getfacl ICRISAT/ # file: ICRISAT # owner: segoliadmin # group: icrisat user::rwx group::r-x group:segoliadmin:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:segoliadmin:rwx default:mask::rwx default:other::---
In addition to the minimum ACL (the "minimum" ACL is the normal Unix permissions of user, group, other), the extended ACLs include:
segoliadmin can read, write, and execute on the directory
Add the following share definitions to /etc/samba/smb.conf. One for Segolip and another one for each of their groups:
[segolip]
comment = Segolip group data
path = /export/home/segoli
read-only = no
valid users = @segoliadmin
force user = segoliadmin
[icipe]
comment = Segolip/ICIPE data
path = /export/home/segoli/ICIPE
read only = yes
valid users = @icipe
The forceuser directive tells Samba to treat anyone using that share as the 'segoliadmin' Unix user in the file system.
The Samba Web Administration Tool allows you to modify Samba settings from a web interface, including changing user passwords. We need to install and configure SWAT to allow users to log in and change their passwords.
Install SWAT using yum:
# yum install samba-swat
SWAT does not run as a daemon, instead it uses xinetd to launch it. xinetd listens on swat's behalf and launches swat when someone connects to it. Configure swat's xinetd configuration by modifying the default to look like this:
/etc/xinetd.d/swat:
# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
# connect to port 901 with your favorite web browser.
service swat
{
port = 901
socket_type = stream
wait = no
user = root
server = /usr/sbin/swat
server_args = -P
log_on_failure += USERID
disable = no
}
Make sure you change the "server_args" and the "disable" lines! The "-P" makes it so non-root users can only see the password change page when they log into SWAT. Then restart xinetd:
# /etc/init.d/xinetd restart
SWAT can be accessed here: http://hpc.ilri.cgiar.org:901
Change the user's passwords by logging into Swat as root.
In order to access Segolip storage on the HPC a user first needs an account on the HPC (user/password created by the system administrator). After that the procedure is as follows: