Installing the UserAdm kit involves three steps:
- Downloading UserAdm onto your system
- Confirm that you have a valid Kerberos srv-tab file
- Completing local system changes to support the UserAdm toolkit
The steps are described in detail below.
If the UserAdm toolkit is already installed on your system, and you are simply upgrading the level of UserAdm on your system, you may stop after steps I and II; your local customizations will not be affected by installing version 2.4 of the UserAdm kit.
New installations of UserAdm require completion of steps 1, 2, and 3.
Obtaining UserAdm from the Application Server
- cd to the package directory: cd /usr/local/IT/useradm-2.4
- From inside the UserAdm package directory, run the pkg.install script. You must specify a destination; we recommend /usr/local (which will place the UserAdm tools into /usr/local/uid):
(The directory name on your system may not be identical. If the version number of the useradm package has changed, the directory name will change accordingly.)
2. Confirm that you have a valid Kerberos srv-tab file
To increase the security of campus services, the tools in UserAdm 2.4 now use Kerberos authenticated connections when communicating with the BU.EDU servers. To make this type of secure connection, a system must have a Kerberos srvtab file which contains a specially encrypted key used to authenticate your system. Unless your system has a valid Kerberos srvtab file, new, approve and other tools in the UserAdm 2.4 kit will not work.
Because it is used to make secure connections with the campus servers, the Kerberos srvtab must be protected as though it contained a password. First, it must be generated here at Information Services & Technology. Second, the file permissions on your Kerberos srvtab file must prevent users on your system from seeing the contents of the file:
yoursystem# ls -l /etc/krb-srvtab -rw-r----- 1 root new 73 Jun 15 1997 /etc/krb-srvtab
Please contact firstname.lastname@example.org for assistance if you don’t have a valid /etc/krb-srvtab file.
Once the package is installed, you must make a few changes to your system:
- Create an account named new. Create the account by editing the /etc/passwd file and adding the following line. This account should have no password, and should have the new program as its shell:
new::3616:3616:Welcome:/usr/local/uid:/usr/local/uid/new Check that the permissions for /etc/passwd are set to 644Make sure the the home directory for new is fully protected from misuse:
(note: /usr/local/uid is the home directory)
- Add new to the /etc/ftpusers file to prevent anyone from ftp-ing into your system as user new.
- For Solaris 2.X systems, set up new so a password isn’t required by editing /etc/default/login and changing
PASSREQ=YES to PASSREQ=NO
- Make sure the home directory for new is owned by the appropriate UID:
chown new /usr/local/uid
- Create a group named new, and add to this group anyone who is expected to run the approve program.
- Make sure all the files in /usr/local/uid are owned by group new:
chgrp -R new /usr/local/uid
- Add/edit a crontab entry that will run the deliver program every night, e.g. (see ‘man crontab’ for information on editing crontab files. For now, note that you must be root and you must use ‘crontab -e’ to edit the crontab file; also note that for machines set up as clients, this line should remain commented out):15 01 * * * /usr/local/uid/deliver Delivery may also be started up from a nightly script on your system.
- Customize the UserAdm configuration files for your system.
- Using /usr/local/uid/config.sample as an example, create the file /usr/local/uid/config and
- Using /usr/local/uid/help.sample as an example, create the file /usr/local/uid/help to provide customized introductory information for people running the new program on your system.
- Using /usr/local/uid/adduser.sample as an example, create the file /usr/local/uid/adduser to create an account on demand.
- Send mail to email@example.com to register yourself as a UserAdm system administrator for your system.