Chapter 5

User Administration Concepts

& Mechanisms
 Outline
 Issues
 User registration
 Local and network accounts
 Account policy
 User support services
 Controlling user resources
 Introduction

 Without users, there would be few challenges in system

administration.

 Users are both the reason that computers exist and their greatest
threat.

 Computer as a device for predicting the weather, as a calculator for

atomic weapons, as a desktop typewriter, as a means of global
communication, computers have changed the world and have
reinvented themselves in the process.

 System administrators must cater to all needs, and ensure the

stability and security of the system.
 User Management Issues
 User management is about interfacing humans to computers.
This brings to light a number of issues;
 Accounting - registering new users and deleting old ones
 Comfort and convenience
 Support services
 Ethical issues
 Trust management and security
 Some of these (account registration) are technological, while
others (support services) are human issues.
 Comfort and convenience lies somewhere in between.
 User management is important because the system exists to be
used by human beings, and they are both friend and enemy.
 User Registration
 One of the first issues on a new host is to issue accounts for users.
 Surprisingly this is an area where operating system designers provide
virtually no help.
 For small organizations, user registration is a relatively simple matter.
 Users can be registered at a centralized location by the system
manager, and made available to all of the hosts in the network by
some sharing mechanism, such as;
o a login server
o distributed authentication service or
o by direct copying of the data.
 User Registration..

 For larger organizations, with many departments, user registration is

much more complicated.
o The need for centralization is often in conflict with the need for
delegation of responsibility.
o It is convenient for autonomous departments to be able to register
their own users, but it is also important for all users to be registered
under the umbrella of the organization, to ensure unique
identities for the users and flexibility of access to different parts of
the organization.
 User Registration..

 What is needed is a solution which allows local system managers

to be able to register new users in a global user database.
 PC server systems like NT and Netware have an apparent
advantage in this respect.
o By forcing a particular administration model onto the hosts in a
network, they can provide straightforward delegation of user
registration to anyone with domain credentials.

o Registration of single users under NT can be performed

remotely from a workstation, using the following command.

 net user username password /ADD /domain

 User Registration..

 While most Unix-like systems do not provide such a ready-made tool,

many solutions have been created by third parties.

 It is rather sad that no acceptable, standardized user registration

methods have been widely adopted. This must be regarded as one of
the unsolved problems of system administration.

 Many Unix-like systems provide shell scripts or user interfaces for

installing new users, but most of these scripts are useless, because
they follow a model of system layout which is inadequate for a
network environment, or for an organization’s special needs.
 Local and Network Accounts
 Both Unix and NT support the creation of accounts locally on a
single host, or ‘globally’ within a network domain.
 With a local account, a user has permission to use only the local
host.
 With a network account, the user can use any host which belongs
to a network domain.
 Local accounts are configured on the local host itself.
• Unix registers local users by added them to the files /etc/passwd and
/etc/shadow.

• In NT the Security Accounts Manager (SAM) is used to add local

accounts to a given workstation.
 Network accounts (Unix-like systems)
Unix-like systems have widely adopted Sun Microsystems’ Network
Information Service (NIS), formerly called Yellow Pages or simply YP.
 Though this is likely to be superceded and replaced by the more widely
accepted standard LDAP
 The NIS-plus service was later introduced to address a number of
weaknesses in NIS, but this has not been widely adopted.
Reasons
 NIS is reasonably effective at sharing passwords, but it has security
implications: (i.e. encrypted passwords are distributed in the old
password format, clearly visible)
 There is no provision for remote registration, or for delegation of
responsibility.
 Network Accounts (NT)
 NT uses its model of domain servers, rather like a NIS, but including a
registration mechanism.

 A user in the SAM of a primary domain controller is registered within

that domain and has an account on any host which subscribes to that
domain.

 An NT domain server involves not only shared databases but also

shared administrative policies and shared security models.

 A host can subscribe to one or more domains and one domain can be
associated with one another by a trust relationship. When one NT
domain ‘trusts’ another, then accounts and groups defined in the trusted
domain can be used in the trusting domain.
 User Support Services
 All users require help at some time or another.
 The fact that normal users are not privileged users means that they
must occasionally rely on a superuser to clean up a mess, or fix a
problem which is beyond their control.
 If we are to distinguish between privileged and non-privileged users,
we cannot deny users this service.
 Types of user
 Every system has a mixture of passive and active users.
 Passive users
o They can be a security risk, because they are not aware of their
actions.
 Active users
o Active user follow every detail of system development.
o They can be of great help to a system administrator, because they test
out problems and report them actively.
o They are an important part of the system administration team, or
community, and can also go a long way to helping the passive users.
 Controlling user resources

 Resource consumption
o Disk usage
 Quotas and limits in general
o One way of protecting operating systems from users and from faulty
software is to place quotas on the amount of system resources which
they are allowed.
- Disk quotas
- CPU time limit
- Policy decisions

 Killing old processes

 Moving users
 Deleting old users
End of Chapter 5