Skip to main content

User Management

This document covers the complete process for managing users on the HPC cluster, including creation, group access, disk quotas, Docker access, account lifecycle management, and syncing accounts across cluster nodes.


1. User Creation

Create a New User

# Create user with home directory and bash shell
sudo useradd -m -s /bin/bash -g <primary_group> USERNAME

# Set password
sudo passwd USERNAME
note

This is run on node01, where -m creates the user's home directory on the NFS-shared /home. Since /home is shared, this directory becomes immediately visible on node02 as well — so on node02 the user should be created without -m/with -M (see Syncing User Accounts below).

note

After creating a user on node01, you must also replicate the account (UID/GID, groups, and password) on node02. See Syncing User Accounts Between node01 and node02 below.

Verify User Created

id USERNAME
getent passwd USERNAME

Useful Commands

# Change primary group
sudo usermod -g <group> USERNAME

# Delete the auto-created user private group if not needed
sudo groupdel USERNAME

# Verify
groups USERNAME
ls -la /home | grep USERNAME

2. Hide User from GDM Login Screen

For SSH-only users who should not appear on the graphical login screen:

Create AccountsService Override

sudo vim /var/lib/AccountsService/users/USERNAME

Add:

[User]
SystemAccount=true

Apply Changes

sudo systemctl restart gdm3
note

Hidden users can still use SSH with X11 forwarding (ssh -X) for GUI applications.


3. Set User Display Name

To show a full name on the login screen instead of the username:

sudo chfn -f "Full Name Here" USERNAME

Restart GDM to see changes:

sudo systemctl restart gdm3

4. Disk Quota Setup

info

This section applies to local disk quotas only (e.g. on a local /home partition). If /home is mounted from the NAS via NFS, quota management is handled on the NAS via ZFS userquota. See the Storage doc for details.

Prerequisites (One-time Setup)

Ensure /etc/fstab has the usrquota option on /home:

# Before
/dev/disk/by-uuid/YOUR-UUID /home ext4 defaults 0 2

# After
/dev/disk/by-uuid/YOUR-UUID /home ext4 defaults,usrquota 0 2

Enable quotas:

sudo mount -o remount /home
sudo quotacheck -cum /home
sudo quotaon /home

Set User Quota

# Format: soft limit, hard limit (in KB), soft inodes, hard inodes
sudo setquota -u USERNAME SOFT_KB HARD_KB 0 0 /home

Common Quota Sizes

SizeValue (KB)Command
50 GB52428800sudo setquota -u USERNAME 52428800 52428800 0 0 /home
100 GB104857600sudo setquota -u USERNAME 104857600 104857600 0 0 /home
200 GB209715200sudo setquota -u USERNAME 209715200 209715200 0 0 /home
500 GB524288000sudo setquota -u USERNAME 524288000 524288000 0 0 /home

Verify Quota

sudo quota -u USERNAME

View All Quotas

sudo repquota /home

5. Group Management

Create a New Group

sudo groupadd GROUPNAME

Add User to a Group

sudo usermod -aG GROUPNAME USERNAME

Add User to Multiple Groups

sudo usermod -aG group1,group2,group3 USERNAME

Remove User from a Group

sudo gpasswd -d USERNAME GROUPNAME

View User's Groups

groups USERNAME

View All Members of a Group

getent group GROUPNAME

6. Standard Group Access

Standard User (Non-Admin)

For regular HPC users with Docker access:

sudo usermod -aG docker USERNAME

Administrator

For users who need full system administration capabilities:

sudo usermod -aG adm,cdrom,sudo,dip,plugdev,lxd,docker USERNAME
GroupPurpose
sudoAdministrative (root) access
admRead system logs
cdromAccess CD-ROM devices
dipNetwork dial-up access
plugdevAccess removable devices
lxdLXD container management
dockerDocker container access

7. Shared Folder Access Between Users

Create a shared folder that multiple users can access:

# Create shared folder
sudo mkdir /home/SHARED_FOLDER

# Set group ownership
sudo chown root:GROUPNAME /home/SHARED_FOLDER

# Set permissions (group read/write, setgid for new files)
sudo chmod 2770 /home/SHARED_FOLDER
note

The 2 (setgid) ensures new files created inside the folder inherit the group.

Option B: Access Each Other's Home Directories

Allow users in the same group to access each other's home folders:

# Create shared group
sudo groupadd GROUPNAME

# Add users to group
sudo usermod -aG GROUPNAME user1
sudo usermod -aG GROUPNAME user2

# Change group ownership of home directories
sudo chgrp GROUPNAME /home/user1
sudo chgrp GROUPNAME /home/user2

# Set permissions
sudo chmod 750 /home/user1 # group can read/list
sudo chmod 750 /home/user2

Permission Reference

PermissionOwnerGroupOthersUse Case
700rwx------Private, no sharing
750rwxr-x---Group can read/list
770rwxrwx---Group can read/write
755rwxr-xr-xPublic read access

8. Docker Access

Add User to Docker Group

sudo usermod -aG docker USERNAME

Verify

groups USERNAME

Test Docker Access

sudo -u USERNAME docker run hello-world
note

Docker images stored in /home/docker are not subject to user quotas. Monitor usage with docker system df.


9. Admin Privileges

Grant Sudo Access

sudo usermod -aG sudo USERNAME

Remove Sudo Access

sudo gpasswd -d USERNAME sudo

Check Sudoers Files

# Check for user-specific sudoers files
ls -la /etc/sudoers.d/

# Remove if exists
sudo rm /etc/sudoers.d/USERNAME

Verify Sudo Status

sudo -l -U USERNAME

10. Delete User Groups

When users share a common group, their individual private groups may no longer be needed.

warning

You cannot delete a group that is a user's primary group. Change it first.

# Step 1: Change primary group to shared group
sudo usermod -g NEWGROUP USERNAME

# Step 2: Verify primary group changed
id USERNAME

# Step 3: Delete old group
sudo groupdel USERNAME

# Step 4: Verify
groups USERNAME

11. Force Password Change on First Login

sudo chage -d 0 USERNAME

Verify

sudo chage -l USERNAME
# Output should show: Last password change : password must be changed

Set Password Expiry Policy

# Password expires after 90 days
sudo chage -M 90 USERNAME

# Warn user 7 days before expiry
sudo chage -W 7 USERNAME

# View all password policies
sudo chage -l USERNAME

Password Policy Options

OptionDescription
-d 0Force change on next login
-M DAYSMaximum days before password expires
-m DAYSMinimum days between password changes
-W DAYSWarning days before expiration
-E DATEAccount expiration date (YYYY-MM-DD)

12. User Modification Reference

# Change password
sudo passwd USERNAME

# Change shell
sudo usermod -s /bin/zsh USERNAME

# Change home directory
sudo usermod -d /home/newhome -m USERNAME

# Rename user
sudo usermod -l NEWNAME OLDNAME

# Lock account
sudo usermod -L USERNAME

# Unlock account
sudo usermod -U USERNAME

# Set account expiration
sudo usermod -e 2026-12-31 USERNAME

# Remove expiration
sudo usermod -e "" USERNAME

# Delete user and home directory
sudo userdel -r USERNAME

# Remove AccountsService file if exists
sudo rm /var/lib/AccountsService/users/USERNAME

View User Info

id USERNAME
groups USERNAME
getent passwd USERNAME
sudo chage -l USERNAME

13. Adding to or Removing from vglusers

For users who need VirtualGL access for GPU-accelerated remote rendering:

# Add user
sudo usermod -aG vglusers USERNAME

# Remove user
sudo deluser USERNAME vglusers
note

Users must log out and back in (or reboot) for group changes to take effect. See the VirtualGL guide for details.


14. Syncing User Accounts Between node01 and node02

This section covers how to replicate a user account (UID/GID, group memberships, and password) from the head node (node01) to the compute node (node02) for the two-node SLURM cluster.

warning

Since /home is shared via NFS, user accounts must exist locally with matching UID/GID on both nodes — this is required for SLURM to function correctly (see Adding a Node). However, home directories should not be created by useradd on node02 (they already exist on the NFS share).

tip

Creating a new group that isn't tied to a specific user — e.g. a shared project group — instead of syncing an existing user account? See Worked Example: Creating a New Project Group below.

Step 1: List Users

To list all regular (non-system) usernames on a node:

awk -F: '$3 >= 1000 && $3 < 65534 {print $1}' /etc/passwd

Step 2: Check User/Group Info

On node01, check the UID, primary GID, and supplementary groups for the new user:

id username
groups username

Step 3: Create the User on node02

Ensure any required groups exist on node02 with matching GIDs first:

sudo groupadd -g <gid> <groupname>

Then create the user without creating a home directory (NFS-shared /home):

sudo useradd -u <uid> -g <primary_gid> -s /bin/bash -c "Full Name" -d /home/username -M username
sudo usermod -aG docker,tools,... username
FlagMeaning
-MDo not create home directory
-GSupplementary groups (replaces all existing supplementary groups)

Step 4: Sync Group Membership

Compare and align supplementary groups so they match between nodes:

for u in user1 user2 user3; do
echo "== $u =="
echo -n "groups: "; groups $u
echo -n "id: "; id $u
done

Run this on both node01 and node02 and compare output side by side. Fix mismatches with:

sudo usermod -G group1,group2,... username
warning

usermod -G replaces all supplementary groups for that user, so list all groups the user should belong to.

Step 5: Sync Passwords

Passwords are stored as hashes in /etc/shadow. Never edit /etc/shadow directly with echo >> — use chpasswd -e or usermod -p, which write safely with proper locking.

Get the Hash from node01

sudo grep ^username: /etc/shadow

This returns:

username:$y$j9T$.../...:lastchange:0:99999:7:::

Copy the username:hash portion (first two fields, separated by :).

Apply the Hash on node02

Option A — usermod -p (single user, recommended for one-off changes):

sudo usermod -p '$y$j9T$...' username

Option B — chpasswd (heredoc, useful for syncing multiple users at once):

sudo chpasswd -e <<'EOF'
username1:$y$j9T$...
username2:$y$j9T$...
EOF

Verify

Run on both nodes and compare:

for u in user1 user2 user3; do
sudo grep ^$u: /etc/shadow | cut -d: -f1,2
done

/etc/shadow Field Reference

The shadow file format is:

username:hash:lastchange:min:max:warn:inactive:expire:reserved
FieldMeaning
hashEncrypted password hash
lastchangeDays since Unix epoch (1970-01-01) when password was last changed
minMinimum days before password can be changed again
maxMaximum days password is valid (99999 ≈ never expires)
warnDays before expiration to warn the user
inactiveDays after expiration before account is disabled
expireAccount expiration date (days since epoch)
note

When using chpasswd -e, verify that lastchange updates correctly and isn't left blank or reset to 0.

Long-Term Recommendation

For more than a handful of users, consider centralizing authentication with LDAP/SSSD so accounts only need to be created once and are automatically consistent across all nodes.


15. Worked Example: Creating a New Project Group

This walks through creating a brand-new shared group (not tied to a single user) and a shared project folder, on the two-node cluster.

Step 1: Find a Free GID on Both Nodes

getent group | sort -t: -k3 -n

Run on both node01 and node02, and pick a GID that's unused on both.

Step 2: Create the Group with the Same GID on Both Nodes

# On node01
sudo groupadd -g <GID> <groupname>

# On node02
sudo groupadd -g <GID> <groupname>
warning

Both nodes must use the identical GID, the same way SLURM requires matching UID/GID for users. If you run groupadd <groupname> without -g on each node separately, they can end up with different GIDs and silently break permissions on the NFS-shared /home.

Verify:

getent group <groupname>

Should print the same groupname:x:<GID>: on both nodes.

Step 3: Add Existing Users to the Group (Both Nodes)

sudo usermod -aG <groupname> USERNAME
warning

Use -aG (append), not -G (replace). -G wipes out the user's other supplementary groups (e.g. docker, tools).

Run on both nodes, then verify with groups USERNAME on each — output should match.

Step 4: Create a Shared Project Folder

Run once on either node (/home is NFS-shared, so this is visible on both immediately):

sudo mkdir /home/<folder_name>
sudo chown <owner_user>:<groupname> /home/<folder_name>
sudo chmod 2770 /home/<folder_name>

The setgid bit (2) makes new files/folders created inside inherit the group, so it stays usable as a shared workspace.

Verify:

ls -ld /home/<folder_name>