The LRZ changed their identity management, the project kn2a still exists but new accounts have no longer the form kn2a1xy but ab12cde, these accounts are not the same as the LRZ-hosted mytum-accounts!!! and are now used for telephone voip access and high performance computing
Our project name at the LRZ is kn2a1, from which all account names are derived by appending two characters. Currently we have 50 accounts "aa" to "bx" plus master user accounts with numeric extension (only 01 for Andi Weiss). These accounts have different privileges, the most common of which are
PC-Kennung this is the standard windows login at computers of the LRZ, which is also used to authenticate users of the telephone system AFS-Kennung this is the classical Unix filesystem account, which is also used in a bunch of different services
In case more accounts are needed, talk to Weidner.
Account Privileges
All accounts have the same basic rights, namely "Wählzugang" (for VPN connection), "PC-Kennung" (for e.g. telephone system) and "AFS-Kennung" (for UNIX services, but also some web authentication). As the file server also discriminates based on these accounts, each account gets different privileges. There are three basic groups:
kn2a1mu The master users have full access everywhere in the file system tree kn2a1adm The administrative staff has write access on the shared network volume, which up to now hosts only administrative files kn2a1 The base group, allowing read access to the shared network volume, e.g. to access the printer drivers or forms stored there
To make life a bit easier and lessen our dependence on the computing center staff, I have preloaded the accounts as follows:
kn2a1 | kn2a1adm | kn2a1mu | |
---|---|---|---|
aa | X | X | X |
ab–aq | X | X | - |
ar–bk | X | - | - |
In case you need to change rights, ask Cramer.
Account Passwords
The passwords for the different basic roles (AFS and PC) are not automatically synchronized. When (re-)setting a password (see Management), it is best to do it for all platforms together to a randomized password. For existing accounts, the individual platforms can be modified separately, also by the user when changing the password at the LRZ password page.
Account Names
The LRZ does not manage the association between accounts and persons. This means that a corresponding list must be kept at the cluster. It also means that the cluster can deal out or revoke access to accounts without LRZ intervention.
I have started a list of accounts, including initial passwords for not-yet-used ones, as an Excel sheet. The preloaded initial passwords should be deleted from the list once they have been handed out to the user, so that accounts in use are easily indentifiable. The column AFSpw is only for initially created accounts, which did not have AFS rights from the start and therefore I had to generate new initial AFS passwords. Most of them have not yet been handed out to the users, thus are still in the list.
Account Management
Master users can use the ID Portal LRZ to
- reset accounts, clearing all previous settings and garbling the password
- set passwords, conveniently offering the option to set randomized passwords to a set of accounts
- check access rights and so on
Beware that changes to accounts sometimes need some time (e.g. over night) to become effective.
Automatic Blocking of Accounts
Upon three wrong authentication attempts, the account is automatically blocked for about half an hour. In case the block persists, talk to Weidner.