Administration on Systems w/ Lots of Users?

kidlinux asks: "Since I started using Linux I've relied mostly on documentation to learn how to use any given aspect of the system. Up until now, I've been used to setting up systems for myself and a few of my friends. I have recently been hired to setup a system which will have 100+ users. Some will have shell access, some email only, some web access, etc.. When setting up a system for vast amounts of users, are things done differently? What kind of things do I need to consider when configuring the system? Is there any documentation available for setting up large scale systems?"

Clarifications...

[ameoba]

A few questions need be answered :

Do you want to make email-only users (IE not allow shell access), or are you just expecting some users to limit their use to just that?

What is the intended purpose of this? Is it a money-making venture, or more of a communal-access project?

What do you plan on ppl using their shell accounts for? Interactive access involving compilers &C can create a whole world of headaches.

A few ideas for you to consider...

Disk quotas & process caps are useful in preventing users from using all available system resources (not to mention how a single fork-bomb can ruin an admin's day).

If you plan on having different types of accounts, write scripts to automate account creation proccess. (knowing/learning a scripting language will pay off big).

Resist the urge to run bleeding edge software on the machine. OTOH, you have to keep up w/ security patches.

If you have any say in the hardware the machine is on, spring the extra cash for good hardware. SCSI drives (SCSI pays off bigtime when you have many different users trying to access the drive. ECC RAM is another good idea. "Server-Grade" hardware will usually last longer & be less prone to failures.

Logs, Logs, Logs. Make sure to keep good logs & have a good log-rotation process in place. Not only will they help you identify security problems, but they can be useful for debuging the system (and if you feel like putting the work in, identifying the actual usage paterns of the system to streamline/optimize the system for what it's really being used for)

Some tips ...

[dustpuppy]

First off, 100 users really isn't what I would call 'vast'. Try 6000 users spread around the nation - that is vast (yes, I personally look after such a system.

Anyway, some tips:

• map our uid ranges for specific functions. eg for the users who only have email access, let them have a uid ranging from 1000-2000 etc. This isn't always possible, but if it can be done, it does help keep things neat and in order
  
• have a variety of scripts (be it command line or gui driven) to help you automate and simplify user administration. eg you might have a script to bulk create users who only need web access
  
• work out, document and follow standards - eg passwords must be changed every 90 days, 3 unsuccessful login attempts will disable your account, full name in the comment field. Make sure these are adhered to these rules.
  
• make sure you have monitoring scripts to make sure that your system isn't buckling under the load if all the users decide to log on at once
  
• if you can, put CPU utilisation caps on each user - this will stop one user from having a runaway process that chews 100% of your CPU slowing the system down for the other 5999 users
  
• setup your system so that you can control the number of sessions that each user can have. This will prevent someone sharing their account, or loggin in multiple times consuming resources. Of course, if you got ample resources, then this won't be a problem ... but it's something to check.
  
• Periodically check for duplicate uids or null passwords etc - these can be big security holes and they are easy to miss when you have a lot of users.