From: Martin Zobel-Helas Date: Sat, 14 Apr 2012 14:11:42 +0000 (+0200) Subject: Merge branch 'master' of git+ssh://db.debian.org/git/dsa-wiki X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=4ba7b28090d093549593965c9c18e95b5e10e71f;hp=00bfb49113562cae8f70c8fbf5888084161cc03a;p=mirror%2Fdsa-wiki.git Merge branch 'master' of git+ssh://db.debian.org/git/dsa-wiki * 'master' of git+ssh://db.debian.org/git/dsa-wiki: removing redundant link updated add-account for guest-account -> debian-account completed add-account wiki entry started howto for add-account dchroot: revert OBSOLETE tags, keep steps for dchroot backup: beethoven's SSH is being done automatically nowadays change nm frontdesk address mark a few things as obsolete proc mount stuff --- diff --git a/input/doc/guest-account.creole b/input/doc/guest-account.creole index da915e1..3f90d69 100644 --- a/input/doc/guest-account.creole +++ b/input/doc/guest-account.creole @@ -10,7 +10,7 @@ The final decision about account creation remains with DSA. DMs (i.e. people who have their key in the debian-maintainers keyring) or people already in the NM process may route their request through the -NM-frontdesk. +NM-frontdesk. The following information should be provided to frontdesk: diff --git a/input/howto/add-account.creole b/input/howto/add-account.creole new file mode 100644 index 0000000..8b3ad78 --- /dev/null +++ b/input/howto/add-account.creole @@ -0,0 +1,82 @@ +== add an account to ud-ldap == + +=== Introduction === + +A Debian Account Manager (DAM) will submit an RT ticket to ask that an account +be created for a new member of the Debian Project. + +Initially, the RT ticket will be assigned to a Debian Keyring Maintainer (DKM) +so that Debian's Keyring may be updated with the user's GPG key. + +Subsequently, the RT ticket will be assigned to a Debian System Administrator +(DSA) so that Debian's LDAP may be updated. + +This HOWTO documents DSA's actions relating to account creation. + +The RT ticket will contain the following details in a GPG-signed message: +* the user's account type ("uploading DD") +* the user's GPG key fingerprint +* the user's full name (first name, middle name, last name) +* the user's forwarding address +* the user's preferred account name + +=== Procedure for New Accounts === + +Step 1: Download the GPG-signed message from RT and verify the signature. +Ensure that the message has been signed by a DAM (for a list of DAMs, see +http://wiki.debian.org/DAManager or http://www.debian.org/intro/organization). + +Step 2: Create an entry in LDAP by executing ud-useradd on draghi. + +{{{ + you@home~$ ssh you@db-master.debian.org + you@draghi~$ ud-useradd +}}} + +You will be prompted to enter the fingerprint; the preferred account name; the +first, middle and last names; and the forwarding address. Some of these values +will be extracted from the GPG key, if available. + +Use the @debian.org for the debian-private subscription. + +Accept the randomly generated password. + +Step 3: Confirm account creation. + +Step 4: Resolve the RT ticket. Enter the 'final information collected' emitted +by ud-adduser as the message of the resolution action. Carbon copy the +forwarding address and da-manager@debian.org. + +=== Procedure for Upgrading Guest Accounts === + +Step 1: same as above + +Step 2: Remove the GPG key from guest-keyring. + +{{{ + you@home~$ sudo apt-get install jetring + you@home~$ git clone ssh://db.debian.org/git/guest-keyring.git + you@home~$ cd guest-keyring + you@home~$ ./del-key + you@home~$ git status + you@home~$ git add debian-guest/delete- + you@home~$ git commit -a +}}} + +Step 3: Modify the LDAP entry. + +{{{ + you@draghi~$ export EDITOR=vim + you@draghi~$ ldapvi -ZZ -D uid=,ou=users,ou=debian,ou=org + find account + set gidNumber: 800 + add privateSub: @debian.org + del allowedHost + del shadowExpire +}}} + +Step 4: Email welcome-message-800 to the user, substituting parameters. + +Step 5: Resolve the RT ticket. Carbon copy the forwarding address and +da-manager@debian.org. + diff --git a/input/howto/backup.creole b/input/howto/backup.creole index 2fa7b15..0e64bb1 100644 --- a/input/howto/backup.creole +++ b/input/howto/backup.creole @@ -41,11 +41,8 @@ Directories: * install da-backup on the client * create a crontab that runs da-backup daily at some convenient time * configure the directories in {{{/etc/da-backup}}} -* install the public host key of the server with a proper command in - puppet {{{modules/ssh/templates/authorized_keys.erb}}} for beethoven. Do a puppetrun on beethoven. - (This might get done automatically eventually.) * configure how many copies of the directory should be kept in - {{{/etc/da-backup-manager/}}} + beethoven's {{{/etc/da-backup-manager/}}} * run {{{da-backup -v}}} on the client to see if it all works. diff --git a/input/howto/dchroot.creole b/input/howto/dchroot.creole index a543ac4..59403a1 100644 --- a/input/howto/dchroot.creole +++ b/input/howto/dchroot.creole @@ -72,11 +72,11 @@ EOF # least "en_US.UTF-8 UTF-8" and "en_US ISO-8859-1".) # #*) setup nsswitch.conf to properly use the ldap stuff - apt-get install libnss-db && - sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/; - s/^group:\[[:space:]]\+compat$/group: db compat/; - s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \ - /etc/nsswitch.conf + # [dchroot]: apt-get install libnss-db && + # sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd: compat db/; + # s/^group:\[[:space:]]\+compat$/group: db compat/; + # s/^shadow:\[[:space:]]\+compat$/shadow: compat db/' \ + # /etc/nsswitch.conf # # # *) @@ -95,14 +95,14 @@ EOF apt-get update && apt-get upgrade # # *) - mount /proc && debfoster && umount /proc + mount -t proc none /proc && debfoster ; umount /proc # # *) # exit the chroot exit }}} -* edit /etc/fstab on the system root and add entries to mount /proc and /home +* [dchroot only] edit /etc/fstab on the system root and add entries to mount /proc and /home in the chroot, there will be existing ones for the other chroots, just copy and adjust. Then mount them (from the system root). {{{ @@ -128,14 +128,12 @@ adjust. Then mount them (from the system root). : tmp /srv/albeniz.debian.org/chroot/sid/tmp none bind,defaults }}} -* edit /etc/dchroot.conf in the system root, add an entry for $DIST, and -update the stable and testing pointers +* [schroot] set up /etc/schroot/chroot.d/ correctly. + [dchroot]: edit /etc/dchroot.conf in the system root, add an entry for $DIST, and update the stable and testing pointers -* run ud-replicate so the new chroot is setup (this would happen via cron eventually, this is just to speed things up) +* [dchroot]: run ud-replicate so the new chroot is setup (this would happen via cron eventually, this is just to speed things up) {{{ ud-replicate }}} -* as a normal user, test that the new chroot works: "dchroot $DIST", test that the stable and testing pointers work. - --- taggart 2007, slightly modified by weasel 2007, 2008, ported to wiki 2010. +* as a normal user, test that the new chroot works: "dchroot $DIST" or "schroot $DIST", test that the stable and testing pointers work. diff --git a/input/index.mdwn b/input/index.mdwn index dedaf8e..52cdd9f 100644 --- a/input/index.mdwn +++ b/input/index.mdwn @@ -45,10 +45,10 @@ VCS repositories for ud-ldap and all our other stuff can be found at * [[howto/install-kvm]]: How to setup a new kvm domain without going through d-i etc. * [[howto/postgres]]: Random postgres stuff * [[howto/add-guest]]: How to add guests to ud-ldap +* [[howto/add-account]]: How to add accounts to ud-ldap / upgrade guest accounts * [[howto/swarm-kernel]]: How to build kernels for our swarm boxes * [[howto/drac-reset]]: How to beat the radacm rootk^Wbinary only software. * [[howto/dchroot]]: porter chroots setup -* [upgrade guest-accounts](https://rt.debian.org//Ticket/Display.html?id=2054): How to promote a guest account to a real DD account ## ports