Air Services / Airsoa

Client name AIROSA

Client ID: AISP – requests comes thru DW (Service Center)

Important contacts:
GADSS team: DW queue: Z_GIS_GADSS - DL: Gadss.Emea@hp.com

The request are created by the following team that you can contact for any problem, or tell to a user to
contact them in order to open a ticket. A ticket that comes from this team can be considering pre-
approved:

ATC - Advanced Transportation Coverage <at-coverage@hp.com>

Bushyhead, Scott - scott.d.bushyhead@hpe.com -> the ATC manager.

Porrata, Adam - adam.porrata@hpe.com -> not sure the role (a PM or ADM). It can approve or send you
any request or request a tasks.

Scope of work:
Create users: domain users. Domain users with UNIX active (NIS). Local users for Solaris systems (and
Linux just for SA team).

Delete users (or disable according the request).

Password reset

User modification.

Supported Platforms:
Any user always use a UID that you must reserve in the UID_AIRSOA.xls file.

UNIX servers:

The Linux servers use the domain credentials to login (it use NIS).

On Linux servers, just the SA team, also use a local account.

The Solaris servers are a stand-alone: you have to use each personal credentials.

Windows servers:

There are 3 supported domains:

AIRSOTEST -> Use a reserved UID and NIS. You can use server usclssoat398 to manage the domain. To
connect to this server open a Remote Desktop tool directly from your session and use the FQDN:
usclssoat398.airservices.eds.com

AIRSOAPROD -> Use a reserved UID and NIS. You can use server USCLDSOAP950 to manage the domain.
To connect to this server open a Remote Desktop tool directly from your session and use the FQDN:
USCLDSOAP950.airservices.eds.com

TRANSPCIPROD -> does not use a reserved UID neither NIS. It use a regular account, just like any other
client. You can use server USCLSPCIP009 (IP: 204.26.130.26) or
usclspcip010.transpciprod.airservices.eds.com to manage the domain.

Important information:

-NIS system: When activate the UNIX attribute, it must always be in /Export/home/user_ID

-For UNIX servers:

Solaris are stand Alone UNIX.

Linux are under NIS.

-Name convention: how to know if a server is under AIRSOAPROD or AIRSOATEST domain, with
examples. This is very important when you have to login in a Linux server, you have to know if you have
to use your AIRSOATEST or PROD domain credentials.

USCLSSOAT398 -> OAT – it minds TEST domain: AIRSOATEST.

USCLSSOAM902 -> OAM – it minds MODEL, it use AIRSOATEST credentials.

USCLDSOAP950 -> OAP – it minds PROD domain: AIRSOAPROD.

-AIRSOATEST domain has the RBAC OU, if you don’t have permission to complete a task and the user
belongs to this OU, the task must be completed by GADSS team.
How to create domain users:
Ticket example for AIRSOAPROD on DW # 100-05-16652572-001

O -> Type of request: Create user (new access).

O -> Requestor information: name and email.

O -> Requested User name, ID and Email.

O -> Model ID

O -> Domain name (where the user must be created)

O -> Activate the UNIX access? Yes.

1) Open remote desktop to reach the server:

2) Use our personal credentials:

3) Open Active directory Users and Computers:

4) Search for the model ID within different OU until you find it:
5) The user has been found in “Users” OU:
6) Right click to copy:
7) Finish the copy, creating the new user with the personal information and click “Next”.
8) Set a new random password and active “User must change password at next logon”. Click
“Next” to finish.
9) To Activate the UNIX attributes, go to that sheet on the model ID and complete all fields mirroring
the model, but changing to the personal User information.

10) To reserve the UID open the “Available_AirSOA_UIDs xls” file, to use the correct user UID. Use
the “Find” tool to check if the user exist and, if so, use the second column (B) number “User IDs
Available - Active Directory and SUNS local.” For Windows UID. This is the same number you will
have to use when create the access for Solaris stand-alone UNIX servers. The first column (A)
“Local UID - Linux Local accounts (usually SA)” is just to be used by the Sysadmin team when he
needs local access to Linux servers (in addition to their NIS access).

IMPORTANT: REMEMBER TO ALWAYS USE “/export/home/ID” instead of “/home/ID” ON Home

directory FIELD.
11) All new user parameters completed, click “OK” to save and finish.
Creation on AIRSOATEST domain:

To create users in AIRSOATEST domain you will follow up exactly the same procedure than AIRSOAPROD
(but you will connect to usclssoat398.airservices.eds.com for TEST), just taking care that there is an OU
called “RBAC” where you shouldn’t have permission to perform any task. So if the model ID is placed in
this OU, you shouldn’t able to create the User ID, what you have to do in this case is to create the user in
any other “regular” OU and contact the GADSS team to move the user to the correct place:

-expand the OUs: AIRSOATEST/Accounts/Users, and then create a new user using the option “New User”
instead of “Copy” when you perform the “right click” in this location.

-open the model ID, go to the “member of” sheet, and save the groups names. Find each group in AD
and add the new created user as member of.

-If there is any group that you don’t have permission neither to add the user, save the group name.

-If the request include to activate the UNIX attribute, go ahead and active it using the same UID reserved
on second column (Active Directory) on the xls file, use “/export/home/ID home” and the specific group.

-Send the credentials to the user using two email. On the first one inform the user that the account has
been created, put his personal information: User name, User ID, and the domain name. Copy the
requestor email also in this first email.

Also copy the GADSS DL, asking him to please move the user “xxxx” to the correct OU according the
model “xxxx” that you didn’t have permission to do it. Inform also that there were a specific group to
add the user as member of that you didn’t have permission neither.

In a second email, just send the password to the user (just to the user).

-close the ticket copying and pasting the first email you sent with the information (not and NEVER the
email with the password).
Creation on TRANSPCIPROD domain:

To create users in TRANSPCIPROD domain you will follow up exactly the same procedure than
AIRSOAPROD (but you will connect to USCLSPCIP009 – IP: 204.26.130.26 or
usclspcip010.transpciprod.airservices.eds.com) until step 8. So, you will not work with NIS, there is not a
UNIX attribute to activate, you don’t have to reserve a UID, and there is not a RBAC OU neither; so this is
a simple or regular procedure just like any other client.
Working with UNIX systems:

Linux servers:

The access to Linux servers are granted just activating the option “UNIX attribute“ in AD in users
properties. So you don’t have to create the user in the Linux servers, just like you do in any other regular
client to gain access.

In example, if you login to a Windows AIRSOAPROD server: USCLDSOAP950 using the following
credentials:

ID: czhpyr

Password: Pa$w0rd

You will use the same to login into the Linux server:

ID: czhpyr

Password: Pa$w0rd

Remember you know this is from PROD domain because of the name convention: OAP.

You can reach the UNIX AISP servers thru ssh protocol, using Putty to the IP that you will find in ESL. So
to reach USCLDSOAP950 you will have to do the following:

Open Putty:
Use your AIRSOAPROD domain credentials:

You will be logged in the server:

Special creations on Linux servers:

There is just a specific case that when you will have to create users on Linux servers locally (in addition
to the NIS access), this is for sysadmin team (System Administrators) and the ATC team. In these both
cases, and just if a specific request to do it’s created, you will create that specific access, following the
regular creation procedures for a UNIX user.

An important point is to know that this kind of users will use a specific UID that you have to reserve from
the “Available_AirSOA_UIDs xls” file, in order to use the correct user UID. Use the “Find” tool to check if
the user exist and, if so, use the first column (A) number “Local UID - Linux Local accounts (SA team)” For
Linux Local users UID.
Solaris servers:

The Solaris servers are stand alone, they don’t work with NIS and you have in this cases, to create a
regular user just like in any other UNIX system. Please find the standard UNIX creation procedure and
follow up those instructions in order to create a UNIX user.

An important point is to know that this kind of users will use a specific UID that you have to reserve from
the “Available_AirSOA_UIDs xls” file, in order to use the correct user UID. Use the “Find” tool to check if
the user exist and, if so, use the first column (B) number “User IDs Available - Active Directory and SUNS
local.”
To login into Solaris servers, use Putty with ssh protocol to the correct IP that you will find in ESL.
Password reset:

SOLARIS:

To reset a password on a Solaris server: you just have to follow up the regular procedure to reset a local
UNIX account. I mean, to login into the server using Putty with ssh to the correct IP that you will find in
ESL. You will have to use your personal credentials to login.

Once you’re in you will have to unlock the user, and then perform a password reset. IE to reset the
password for user czhpyr:

sudo passwd –u czhpyr -> to unlock the user

sudo passwd czhpyr -> to set a new password

Pa$w0rd -> enter the new password twice

sudo passwd –f czhpyr -> to force the password to be changed at first logon

sudo passwd –s czhpyr -> to check how is the password set

LINUX:

If the user needs a password reset on Linux system, you will just have to reset his domain password
(AIRSOAPROD or AIRSOATEST, depending the system the user is asking) because they are under NIS. This
is an standard Windows password reset procedure, but it’s very important that you ALWAYS force the
password to be reset on the first logon, so then the user to login on the Linux server, has first ALWAYS to
login on a WINDOWS system and change the initial password that you’re sending, after that maybe
waiting a couple of hours meanwhile the password is replicated, the user will be able to login into the
Linux system using his own password.

Note: Remember that the user must have the UNX attribute property activated into the Windows
account properties, to be able to login in Linux system under NIS.

WINDOWS:

If the user needs a password reset on Windows system, you will just have to reset his domain password
(AIRSOAPROD or AIRSOATEST, depending the system the user is asking). This is an standard Windows
password reset procedure, but it’s very important that you ALWAYS force the password to be reset on
the first logon. Remember that maybe the user must wait a couple of hours meanwhile the password is
replicated in order to login.
DELETE ACCOUNT:

UNIX:

This is just a standard procedure in each case. The request must contain the following mandatory
information:

Action to take.

User ID to be removal.

Server or Domain name.

For UNIX servers find and use the regular procedure to remove a user. IE to remove the user czhpyr:

Use Putty with ssh with correct IP that you can find in ESL:

Login into the server.

id czhpyr -> to check if the id exists

sudo userdel –r czhpyr -> to remove the ID and the user home.

id czhpyr -> to enure the ID was deleted

Note: you can also search for a user account using grep with the name or the id:

grep –i czhpyr /etc/passwd -> this will find all the users with ID czhpyr (just can be one)

grep –i diego /etc/passwd -> this will find all the users called diego (can be more than one)

WINDOWS:

For Windows domain account, you will have to find the specific id in AD, right click and hit “delete”.
------------------------------------------------------------------------------------------------------------------------------------------

Documentation version 1

Created by Diego Benedetto diego.benedetto@hpe.com

Date: October 22 2015