The Support FAQ
gives help for staff and students of Informatics.
Quotas are 1Gb for all undergrads and Msc Students, 5Gbs for Phd students.
Please do not increase a student quota just because they have run out of space. They should be encouraged to login at a text login and delete files.
Fourth year ugrads and Msc students can have their quotas increased only for their project but the request must be endorsed by their supervisor. Please don't give extra quota if there is not enough space on the partition to accomodate it.
The staff quota of 5Gbs is there as a notional limit to help with housekeeping and disk management. It can be increased at any time. Again, make sure there is enough room on the partition.
Useful commands (to be run as 'asu' only on machines with tools installed) are:
The old Account Management Documentation is still available here, which contain info about policy and high level procedures.
October 2010
Account creation is now an automatic process. As it is driven from the School Database is it is even more important that the db entry is correct.
Email is sent out twice a day to the support team with the list of accounts that have been created but which have not yet had their initial password printed out. Accounts will not appear on this list until the start date in the database.
When we receive a request for an account, the following needs to be done:
Mail accounts will be of the form:-
uun@staffmail.ed.ac.ukUsers can still advertise their email address as uun@inf.ed.ac.uk but it will be automatically forwarded to their staffmail account. Until there is a script or some automatic method of creating the forwarding it should be done in the following way:-
On nutty as root:-
cd /opt/sendmail
co -l aliases-staffmail
edit aliases-staffmail
ci -u aliases-staffmail
make
The user should be subscribed to sys-announce and seminars. On
mail.inf.ed.ac.uk as mailman do:
/var/mailman/bin/add_members -r - sys-announce
enter the email address(es) and Ctrl-D to finish. Repeat for
seminars.
More info on using staffmail is available here.
AFS Username change but keeping the same UID
Most of the steps are the same as Changing a Username, except that the user volume name and PTS database entry needs to be updated with the new uun. The example below is for changing a username from kr to kreid5.
Briefly:-
vos exam user.lmb
vos remove -verbose sphinx /vicepx user.lmb.readonly
vos remove -verbose phoenix /vicepx user.lmb.readonly
vos move -verbose user.lmb sphinx /vicepx sphinx /vicepxx
vos backup -verbose user.lmb
vos addsite -verbose sphinx /vicepxx user.lmb
vos addsite -verbose phoenix /vicepxx user.lmb
vos release -verbose user.lmb
This can be done without the need for the user to log out.
/usr/sbin/vos listvldb -server phoenix -part
viceph | grep user
Partitions are 50GB so there should be a maximum of 10 users per
partition. (On some there
will be less since some users have a quota of more than 5GB - check the
progress table on the Services
wiki).
1. Run the create_afsuser command (as if for a new user, as per Roger's notes.)
2. rsync the files. First of all find the machine that the nfs directory is on. Then, on that machine:
qxprof rsync.gentry_allow
This gives a list of machines that you'll be able to rsync from.
On one of those machines, as yourself, do the 'asu' bit and then
'nsu' (if you don't 'nsu', then files will be owned by your admin
principal!). After that, do:
rsync -avz
<nfs-server-name>::<home_partition>/<username>/
<afs-path-name>
e.g.
rsync -avz phoenix::ptn006/mmarina/
/afs/inf.ed.ac.uk/user/m/mmarina
Note: remember the trailing '/' at the end of the nfs argument.
Missing this out would create an extra mmarina directory!
3. Update ldap
/usr/sbin/update_user -afsdir
/afs/inf.ed.ac.uk/user/m/mmarina mmarina
When you disable an account by renaming the home directory eg lmb to
lmb-mv.to.afs this triggers a complete backup.
This causes the backups to be bigger than they need be.
The solution is to create a .nsr file in the top level of the home
directory.
Please remember to remove it if you enable the account again.
The .nsr file needs to contain
+skip: *
4. Check the afs home directory for links created during the move which point to platspec/DotFiles. Delete these links (especially the ones relating to gnome config as they will be broken and produce a grey screen when user logs on).
It's also recommended to compare quota usage before and after the move as some types of compressed directories can unpack during rsync.
To change an existing user's password:-
kadmin: cpw lmb
Enter password for principal "lmb":
Re-enter password for principal "lmb":
Password for "lmb@INF.ED.AC.UK" changed.
kadmin: cpw lmb/admin
Enter password for principal "lmb/admin":
Re-enter password for principal "lmb/admin":
Password for "lmb/admin@INF.ED.AC.UK" changed.
To add a new user password:-
/usr/kerberos/sbin/kadmin
Authenticating as principal rwb/admin@INF.ED.AC.UK with password.
Password for rwb/admin@INF.ED.AC.UK:
kadmin: add_principal newuser
Enter password for principal newuser:
Re-enter password for principal newuser:
kadmin: add_principal newuser/admin
Enter password for principal newuser/admin:
Re-enter password for principal newuser/admin:
When new taught courses are created, students who enrol on those courses will get a primary role in LDAP of the form module-<new-course-code>. However it is usually the case that the role record has not yet been created and this is reported as an error by the buildcaps script and sent by cron to root on the master ldap server. A similar thing happens (although it is far rarer) if new degrees or classes are created; the missing degree-<new-degree-code> or class-<new-class-code> need to be created.
The root mail for the ldap master server (in the shared IMAP folder
sysman/rootmail) should be checked every few days for mail from cron
with
output from the command /usr/bin/k5start -f /etc/krb5.keytab
ldaptrigger/franklin.inf.ed.ac.uk /usr/bin/buildcaps
. Error
messages
will detail any missing (i.e. undefined) roles. Any missing primary
roles
should be created so that they are similar to existing roles of the
same type.
If the missing role is one of a type that you don't recognise then
check to see
whether it is a secondary role and if it is then don't create the
missing role
since it might be an erroneously added secondary role.
You can check which roles exist of type foo by running the command:
ldapsearch cn=foo* -b
"ou=Roles,dc=inf,dc=ed,dc=ac,dc=uk" cn
To create a missing role, for example the course role module-caa, use rfe with a template taken from an existing course role such as module-ad, execute the command:
rfe -n -t roles/module-ad roles/module-caa
and edit the new roles file to change the course name of the template, ad in this example, to the name of the new course, caa in this example. References to any other roles within the template need to be edited accordingly.
Non-staff who require access (Teaching Assistants) should be given the secondary role submit. Documentation on using practical submission system is here: Practical Submission Guide
Non-staff who require access (Teaching Assistants) should be given the secondary role examprep. This gives them the crucial capability "login/staff/examprep"
Give the user the secondary role beowulfuser. Make a directory for the user on illustrious:/gpfs/home
Once the role has propagated, check they appear in ValidUsers on illustrious using qmon tool. Usually you will have to push this, as root with this command:
qconf -au <username> validusers
First log onto illustrious,run qmon and kill the jobs (you may have to force them).
In the services unit's ( former mail team) documentation page: available here.
Official documentation available here.
Informatics Mail has the facility to let a group of users read the mail in a shared mail account. The instructions for setting these up are available on the services-unit's documentation at: https://wiki.inf.ed.ac.uk/DICE/SharedMailbox. However, the services unit would prefer to continue to set these up themselves. Once this is set up it appears under "#shared".
The request should come from the School and go to postmaster@ed.ac.uk
Please note the following taken from the IS policy page:
User Documentation is available here.
A publishing account is required. The application form is available here.
This form creates an RT ticket in the support queue. Check that the request is from a staff member or Teaching Assistant.
Add the user to $CVSROOT/conf/access/passwd.staff (via CVS) after checking that they are indeed staff and that they have provided their dice UUN.
They should be directed to: IS wiki service.
If they have to have an Informatics wiki then they should be directed to: https://wiki.inf.ed.ac.uk/TWiki/TWikiAccessControl
especially the notes at: https://wiki.inf.ed.ac.uk/TWiki/TWikiAccessControl#Informatics_Notes
Adding new wiki is a web based operation at Managing Webs.
Under Adding a New Wiki Web, fill in the name, description and Use to fields. Click Create New Web. The new web will be available at: https://wiki.inf.ed.ac.uk/[MyNewWeb]/WebHome.
To create a new group (optional) for access control go to TWikiGroups
.
Enter the new Group name and click add. You will automatically be the
only member of that group, so you will need to set it to the
requestor's wiki name instead.
To change the name, go to the new group page at
https://wiki.inf.ed.ac.uk/Main/[MyNewGroup]. Click Edit at the top left
of the page. Set GROUP = Main.[RequestorsName].
You can still do this even if they have not registered yet at:
TWikiRegistration
All users will need to register, and the requestor will be able to
add people to the group. If the requestor wants to restrict access to
the wiki web, then edit the webpreferences accordingly. An example of a
very restricted web, so that non-members of the group cannot even view
the pages (except we can as administrators) is
PASTA.
To create a URL such as http://groups.inf.ed.ac.uk/euphoria/
[gecko]joxley/admin: chown root:root /afs/inf.ed.ac.uk/group/project/euphoria/html
Set the acl's so that the web server has list access to the top level, then read and list for the html subdir
[gecko]joxley/admin: fs setacl /afs/inf.ed.ac.uk/group/project/euphoria system:groupwebserver l
[gecko]joxley/admin: fs setacl /afs/inf.ed.ac.uk/group/project/euphoria/html system:groupwebserver rl
[toaster]root: cd /disk/data/httpd/groups
[toaster]root: ln -s /afs/inf.ed.ac.uk/group/project/euphoria/html euphoria
AFS users have a directory in their homedirectory called Yesterday.
!network.ipaddr_eth0 mSET(DHCP)
at the same time change the live wire header to the new wire.
qxprof network.ipaddr_eth0
nslookup machine name
Shared areas are for groups of people to have access to the same files. This can be for
teaching purposes, collaborative working or arranging a conference. It depends on the
nature of usage as to how restrictive access needs to be. You can set up a shared area
without setting up a new group. eg /group/support/support-team is a shared area for
support for which the group is sysmans.
1. Choose the Group Name.
The name is usually the name of the project or conference or teaching module or
similar. Have a look in the groups file for inspiration. Throughout this example
the group is called cs3 and the GID is 10101.
2. Create the group name to GID mapping: rfe groups and add a line, eg. "cs3 10101".
This associates the name of the group with its group identity number
You should all now be able to "rfe amdmap/group" to add things to the /group hierarchy.
The format of the file is explained in the comment at the top. Please
be careful! Ask for help if you're unsure...
3. On a fileserver create the group directory on some partition somewhere, it will then
be visible from a DICE machine as, eg: /amd/partition/ptnxxx/cs3
There is a file in the support area called "partitions" which lists (not definitively)
what each partition is used for. On the fileserver you would also need
to "chown root:10101 cs3" and set the directory so that it is group writeable:
chmod g=rwxs cs3 "g=rwxs" means that any new files created in that directory inherit
the same group, and are group readable and writeable. You have to use the numeric GID
here unless unless the group already exists.
4. Next you need to either add the group membership as a capability of an existing
role or create a new role. Which you do rather depends on the nature of the group
(and keeping in mind the 7 groups per user maximum). Example of using an existing role:
rfe roles/staff and add a line "group/cs3" to add that group to all staff. Example of
creating a new role: rfe -n roles/cs3 and add a line "group/cs3" (and thats all you need
in it). You then need to add this new cs3 role to each person that you want to be a member
of the group. You do this using the AMT stuff, something like:
update_user lmb -second +cs3 to give Lindsey that role (consequently making her a member
of the group). The '+' means add the role, note you can also use an abbreviated version
of the option to save some typing. Test by giving yourself the role and running
'om ldap kick' on your machine. Then run 'sterm machine_name' and then 'id' to check
you have the new group. If it hasn't appeared yet, run 'newgrp group_name' to force it
through. If 'id' now shows the new group, you should be able to write a file into the new
group area without the 'permission denied' error. Then run "om ldap kick" on a client
machine you want to try it all out on.
You should then be able to list the cs3 group
defiant[timc]groups
timc : people staff cs3
then try, eg.
defiant[timc] cd /group/whatever/cs3
defiant[timc] touch wibble
defiant[timc] ls
wibble
defiant[timc] rm wibble
Note that shared filespace for "all-staff" is already setup in the sense that the group
exists and staff are already a member of that group. All you would need to do would be to
create a directory on a fileserver group writeable by the DICE staff GID (10010).
See Automatic and Forced LDAP Replication.
Notes are on rat-unit page: Informatics Condor Pools
The backout via RCS needs to be done on the rfe server (note that all actions are as root):
tobermory# cd /var/rfedata/lcfg/profiles
tobermory# co -l lessard
RCS/lessard,v --> lessard
revision 1.69 (locked)
done
tobermory#
tobermory# co -p -r1.66 lessard
RCS/lessard,v --> standard output
revision 1.66
/* lessard */
#define FIRST_INSTALL
...
/* End of file */
tobermory#
- and when you know which one you want, overwrite the existing
version:
tobermory# co -p -r1.66 lessard > lessard
RCS/lessard,v --> standard output
revision 1.66
tobermory#
- and check it back in:
tobermory# ci -u lessard
RCS/lessard,v <-- lessard
new revision: 1.70; previous revision: 1.69
enter log message, terminated with single '.' or end of file:
>> reverted to 1.66 (recovered fstab info)
>> .
done
tobermory#
Instructions for maintaining the cluster.
Remember: The cluster machines are SL5 and must be reinstalled with F13 before reuse and the comment "Server Room Cluster" removed from the inventory
After May 2005
Instructions for installing MDP machines are available here.
These instructions are a work in progress.
Instructions for printing under Windows XP
Personal Folders should be configured to be located in the user's
home directory. By default they are in:
C:\Documents and Settings\uun\Local Settings\Application Data\Microsoft\Outlook. This is not
backed up as Local Settings are not copied back to the IS profile server.
Group InfCom have now moved to central samba from afs and it seems to have gone well. A request was made via IS.Helpline@ed.ac.uk for 20GB and list of users provided to them. Below is their reply:
As requested have created a shared folder "\\scieng0.scieng.ed.ac.uk\INF\GROUPS\InfCom" Security is controlled by AD group "Scieng1 InfCom Users" Below links show how to map network drives in Windows and Macs for non-managed machines: http://www.ed.ac.uk/schools-departments/information-services/services/computing/desktop-personal/network-shares/accessing-net-shares-win http://www.ed.ac.uk/schools-departments/information-services/services/computing/desktop-personal/network-shares/access-net-shares-mac Data is backed up in this area to Volume Shadow copy twice a day (05:00 and 12:00) and can be restored back from upto a week.
The MDP users were able to successfully map the drive, and copied and pasted their existing data over themselves.
However, from a laptop on an AT dhcp wire, the drive could not be mapped until a firewall hole was opened. The laptop needed a static IP registered, profile created to include the ipfilter.h header, and the hostname added to ipfilter.h in the same place as the AT MDP machines. Users would need to use Uni VPN to access the drive from home.
The job of the Duty CSOs is to make sure that all tickets get attention. The goal is to respond in some way to every ticket within a day. Tickets marked URGENT need to be assessed quickly according to the guidelines detailed the the RT Best Practice document available here.
So, when a ticket mentions "cvs":
On this web page you can check the CUPS queue for stuck jobs if you click on the printername. You can't cancel a job from this interface, so if the printer is not running (e.g. showing red):
on infcups.inf.ed.ac.uk as root run /usr/sbin/cupsdisable < printername >
Cancel the offending job(s)
lprm < jobNo >
/usr/sbin/cupsenable
Further CUPS documentation can be found here: CUPS Wiki page
To find jobs in the print queue: login to the print server, become root and look for the df* files in /var/spool/lpd/queuename.
on infcups as root, grep for their 'Name' of file, 'User' or jobID in the following file:
/var/log/cups/page_log
which shows the following info, one line per page printed:
if213m0 joxley 374683 [22/Nov/2011:14:32:11 +0000] 1 1 - 129.215.24.26
\\ed\dst\UnManaged\PCounter\v2.52\PCounter_Admin.hta
To check a user's print job history the PADMIN.EXE tool can be used for generating reports, run:
\\ed\dst\UnManaged\PCounter\v2.60\NT\PADMIN.EXE and follow these instructions. In brief - 'Summary Reports' show print job history. You need to select a date range and for the Report type highlight 'User Printer' and click the Detailed radio button to get more useful data.
There is also a full pcounter manual available.
Staff by default have permissions to create new coltex repositories. To grant a PhD student permission just give them the 'coltex' secondary role. Other students should require approval by their supervisor.
However, direct access to the inventory through the School Database is needed to enter details of some machines. The Database is available at https://ui.theon.inf.ed.ac.uk/ui.html
Choose the Legacy Computing tab and the necessary tables will appear. The appearance is similar to the old database interface, in that, all the same fields appear and it work in a similar way. All Dice machines have their inventory entry made automatically. Unfortunately, laptops and self-managed machines have to have their entries in the database created by hand unless they have a dns entry. Even then there can be problems.
Here is the procedure for entering such data. It should be done in this order otherwise strange things happen. Even if you follow the procedure carefully, it can still go horribly wrong. Contact Lindsey with any questions.
Support can enable this by adding the following to the machine lcfg profile: !auth.grpent_vboxusers mCONCAT(:<%sysinfo.allocated%>)
Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk Please contact our webadmin with any comments or corrections. Logging and Cookies Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh |