Skip to main content

Managing AUTH Groups

On managed TAMU Linux systems, login access, admin/sudo access, and filesystem permissions are all handled by AUTH AD group membership.

When a managed linux system is provisioned, the following groups are created for each system:

DEPT_dept-whatever.subdomain.tamu.edu_logins
DEPT_dept-whatever.subdomain.tamu.edu_admins

If an owner NetID is provided, the following groups are also created:

DEPT_netid_logins
DEPT_netid_admins

By default, if an owner NetID is provided, the DEPT_netid_logins group is automatically nested in the DEPT_dept-whatever.subdomain.tamu.edu_logins for the system being provisioned. The idea here is that if a person owns multiple systems, we can manage login access in one group rather than one for each system.

By default, the DEPT_netid_admins group is NOT nested in the DEPT_dept-whatever.subdomain.tamu.edu_admins. It is created for convenience and can be manually added to the DEPT_dept-whatever.subdomain.tamu.edu_admins if it's appropriate. Note that doing this provides admin access for those users anywhere this group is used and nested.

Managing the Logins and Admins groups

All linux logins and admins groups are located at AUTH.TAMU.EDU > Services > Specialized Services > Linux Services. Due to the default item limit when viewing an OU in ADUC, you might have better luck searching for the group you need to edit.

The following groups are created for each unit that has managed linux systems, where DEPT is the 4-letter code for the College (or TAMH):

DEPT-Linux-Desktop-Admins
DEPT-Linux-Server-Admins

Permissions for managing AUTH groups

Members of the DEPT-Linux-Desktop-Admins group can modify the following groups for all endpoints:

DEPT_dept-endpointx.subdomain.tamu.edu_logins
DEPT_dept-endpointx.subdomain.tamu.edu_admins
DEPT_netid_logins
DEPT_netid_admins

Members of the DEPT-Linux-Server-Admins group can modify the following groups for all servers:

DEPT_dept-serverx.subdomain.tamu.edu_logins
DEPT_dept-serverx.subdomain.tamu.edu_admins
DEPT_netid_logins
DEPT_netid_admins

Note that the DEPT_netid_logins and DEPT_netid_admins groups are used for both endpoints and servers. You should exercise caution and be sure you fully understand the situation before utilizing the netid owner groups for RBAC. Until a single netid owner gets enough systems to make individual group management a burden, it is recommended to manage RBAC in the FQDN groups instead of the netid groups.

Managing filesystem access groups

Groups can be created and applied to filesystems and directories on a managed linux system. These groups should be created in your unit's OU within the AUTH.TAMU.EDU domain. The location of the groups within AUTH is not important when applying them to directories and filesystems in linux.

Suggested naming format:

DEPT_dept-whatever.subdomain.tamu.edu_descriptive_name_for_group

Once the group is created, you should be able to use it in Linux using the normal methods:

chown -R :DEPT_dept-whatever.subdomain.tamu.edu_descriptive_name_for_group /path/to/some/directory