[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
23 Apr 2002 08:09:05 +0200 

>>>>> "Jason" == Jason Garman <jgarman@wedgie.org> writes:

    Jason> On Mon, Apr 22, 2002 at 10:16:08AM +0200, Turbo Fredriksson
    Jason> wrote:

    Charles> But by using a keytab, you're putting cleartext passwords
    Charles> on ALL your workstations!!
    Turbo>  NOW you're talking! Luckily theory and practise differs a
    Turbo> little, and it's not EXACTLY as bad as enter the clear text
    Turbo> password in a world readable file on disk. Close, but not
    Turbo> quite...
    Jason> Actually, it's worse.  You're putting the keys for your
    Jason> entire AFS cell in a file on disk.

It doesn't HAVE to have admin rights. Just enough rights to create a
directory on the 'user' partition. But that issue is moot, because
I now believe in the 'one volume for one user' issue.

IF it was possible to create volumes etc WITHOUT having admin rights,
then that would be another issue. I'll have to dig through the manual
anyway it seems, so...

    Jason>    Now -- you mentioned that you already have LVM and raid
    Jason> doing that work for you.  Well... if you have for example a
    Jason> concatenated disk set up, and you lose one disk in your
    Jason> disk set, guess what?  You lose everything.  When they're
    Jason> separate you just lose one disk.

Yes. With the setup I've been 'forced' to use, this was "acceptable risk".

    Turbo>  It seems like I have to. I had just gotten used to the
    Turbo> functionality that pam_mkhomedir gave me, so i didn't have to
    Turbo> bother with the homedir until the user actually logged in, not
    Turbo> wasting any space if it wasn't used.
    Jason> Okay now this is just ridiculous.  If you don't want to
    Jason> waste any space, why not pick the easier route and create
    Jason> the directory when the user is created (a few inodes
    Jason> "wasted" and a few more lines in your useradd script),

The thing is/was. I didn't HAVE a user add script! I didn't NEED one.

The user was created by cloning a LDAP object from a generalised LDAP
tool (LDAPExplorer).

    Jason> copy in any startup files (eg from /etc/skel or
    Jason> /afs/yourcell/common/etc/skel) into their home directory
    Jason> upon first login.

This is/was done by the pam_mkhomedir module...

    Jason> If you had 50,000 users (which for example some AFS cells
    Jason> have) then the space used by these directory entries would
    Jason> be a significant issue.  But I'm assuming you're talking
    Jason> several orders of magnitude smaller here.

OOH, YES! I only have around 60 so far :)

But this system is my private one. I have over the last year been
implementing the same system (LDAP+KerberosV, without AFS) on at least
two (ISP) sites.

So my private is kind of a live test environment, where i try 'new'
technologies...
-- 
Ft. Meade CIA domestic disruption iodine Qaddafi Legion of Doom
congress South Africa Honduras SEAL Team 6 nuclear munitions security
assassination plutonium
[See http://www.aclu.org/echelonwatch/index.html for more about this]