[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
19 Apr 2002 14:30:54 +0200


I have added a test user to my system, so not to disturb
anything until I get it working. The plan is to move
ALL users to AFS space...

I'm using LDAPv3 (OpenLDAP 2.0.23, CyrusSASL 1.5.27, MIT Kerberos V 1.2.4)
under my Debian GNU/Linux semi-potato system.

This have worked for over a year flawlessly. QmailLDAP is using
it as mail base, KerberosV have all the passwords etc.

As myself (turbo) I have my homedirectory in non-AFS space, and
I can get a ticket and a token:
----- s n i p -----
[papadoc.pts/9]$ klist ; tokens
Ticket cache: FILE:/home/fredriksson/turbo/.krb5_cache
Default principal: turbo@BAYOUR.COM

Valid starting     Expires            Service principal
04/19/02 13:51:08  04/19/02 17:51:08  host/papadoc.bayour.com@BAYOUR.COM
04/19/02 13:51:08  04/19/02 17:51:08  krbtgt/BAYOUR.COM@BAYOUR.COM
04/19/02 13:51:17  04/19/02 17:51:08  afs@BAYOUR.COM
04/19/02 14:00:49  04/19/02 17:51:08  ldap/papadoc.bayour.com@BAYOUR.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@bayour.com [Expires Apr 19 17:51]
   --End of list--
[papadoc.pts/9]$ 
----- s n i p -----

I can view files in '/afs/bayour.com/*' with the token, as shown:
----- s n i p -----
[papadoc.pts/9]$ ls /afs/bayour.com/
public/  user/
[papadoc.pts/9]$ ls /afs/bayour.com/user/
turbo/
[papadoc.pts/9]$ 
----- s n i p -----

The directory '/afs/bayour.com/user/turbo' is my
home-to-be... I have the PAM module 'pam_mkhomedir' enabled,
so that if the directory don't exist, it will be created on
first login (verified!)...

Now, my test user 'frans' have home directory as 
----- s n i p -----
dn: uid=frans,ou=People,dc=papadoc,dc=bayour,dc=com
homeDirectory: /afs/bayour.com/user/frans
----- s n i p -----


First thing is, the homedirectory IS created in AFS
space, but 'frans' don't have access to it:
----- s n i p -----
[logging in from remote host with ssh]
Could not chdir to home directory /afs/bayour.com/user/frans: Permission denied
bash: /afs/bayour.com/user/frans/.bash_profile: Permission denied
frans@papadoc:/$ cd
bash: cd: /afs/bayour.com/user/frans: Permission denied
frans@papadoc:/$ ls -l /afs/bayour.com/user
ls: /afs/bayour.com/user: Permission denied
frans@papadoc:/$ id
uid=1058(frans) gid=1058(frans) groups=1058(frans)
----- s n i p -----

And as my self:
----- s n i p -----
[papadoc.pts/8]$ ls -l /afs/bayour.com/user
total 4
drwxr-xr-x    3 frans    frans        2048 Apr 19 14:23 frans/
drwxrwxr-x    3 turbo    turbo        2048 Apr  8 14:59 turbo/
----- s n i p -----

Now, if I'm remembering correctly from the list, I probably have to add
'frans' to the OpenAFS user database as well. But is there ANY way
that I can get away NOT doing this?!? I already have TWO databases
for the users, and one more irritates me :)


Secondly, and I've discussed this on the MIT KerberosV mailinglist,
what about using RSA keys? I liked that feature of SSH very much when
I started using it around '95 (or whatever it was :)... Especially
when using starting my X WindowManager as an ssh-agent :)

When using RSA keys, I don't get the initial ticket, and can't therefor
get the AFS token either... :(
-- 
ammunition Waco, Texas toluene bomb $400 million in gold bullion jihad
Legion of Doom Ft. Bragg [Hello to all my fans in domestic
surveillance] Ft. Meade NSA BATF FBI nitrate nuclear
[See http://www.aclu.org/echelonwatch/index.html for more about this]