[OpenAFS] Home directory in AFS
Turbo Fredriksson
turbo@bayour.com
19 Apr 2002 14:30:54 +0200
I have added a test user to my system, so not to disturb
anything until I get it working. The plan is to move
ALL users to AFS space...
I'm using LDAPv3 (OpenLDAP 2.0.23, CyrusSASL 1.5.27, MIT Kerberos V 1.2.4)
under my Debian GNU/Linux semi-potato system.
This have worked for over a year flawlessly. QmailLDAP is using
it as mail base, KerberosV have all the passwords etc.
As myself (turbo) I have my homedirectory in non-AFS space, and
I can get a ticket and a token:
----- s n i p -----
[papadoc.pts/9]$ klist ; tokens
Ticket cache: FILE:/home/fredriksson/turbo/.krb5_cache
Default principal: turbo@BAYOUR.COM
Valid starting Expires Service principal
04/19/02 13:51:08 04/19/02 17:51:08 host/papadoc.bayour.com@BAYOUR.COM
04/19/02 13:51:08 04/19/02 17:51:08 krbtgt/BAYOUR.COM@BAYOUR.COM
04/19/02 13:51:17 04/19/02 17:51:08 afs@BAYOUR.COM
04/19/02 14:00:49 04/19/02 17:51:08 ldap/papadoc.bayour.com@BAYOUR.COM
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@bayour.com [Expires Apr 19 17:51]
--End of list--
[papadoc.pts/9]$
----- s n i p -----
I can view files in '/afs/bayour.com/*' with the token, as shown:
----- s n i p -----
[papadoc.pts/9]$ ls /afs/bayour.com/
public/ user/
[papadoc.pts/9]$ ls /afs/bayour.com/user/
turbo/
[papadoc.pts/9]$
----- s n i p -----
The directory '/afs/bayour.com/user/turbo' is my
home-to-be... I have the PAM module 'pam_mkhomedir' enabled,
so that if the directory don't exist, it will be created on
first login (verified!)...
Now, my test user 'frans' have home directory as
----- s n i p -----
dn: uid=frans,ou=People,dc=papadoc,dc=bayour,dc=com
homeDirectory: /afs/bayour.com/user/frans
----- s n i p -----
First thing is, the homedirectory IS created in AFS
space, but 'frans' don't have access to it:
----- s n i p -----
[logging in from remote host with ssh]
Could not chdir to home directory /afs/bayour.com/user/frans: Permission denied
bash: /afs/bayour.com/user/frans/.bash_profile: Permission denied
frans@papadoc:/$ cd
bash: cd: /afs/bayour.com/user/frans: Permission denied
frans@papadoc:/$ ls -l /afs/bayour.com/user
ls: /afs/bayour.com/user: Permission denied
frans@papadoc:/$ id
uid=1058(frans) gid=1058(frans) groups=1058(frans)
----- s n i p -----
And as my self:
----- s n i p -----
[papadoc.pts/8]$ ls -l /afs/bayour.com/user
total 4
drwxr-xr-x 3 frans frans 2048 Apr 19 14:23 frans/
drwxrwxr-x 3 turbo turbo 2048 Apr 8 14:59 turbo/
----- s n i p -----
Now, if I'm remembering correctly from the list, I probably have to add
'frans' to the OpenAFS user database as well. But is there ANY way
that I can get away NOT doing this?!? I already have TWO databases
for the users, and one more irritates me :)
Secondly, and I've discussed this on the MIT KerberosV mailinglist,
what about using RSA keys? I liked that feature of SSH very much when
I started using it around '95 (or whatever it was :)... Especially
when using starting my X WindowManager as an ssh-agent :)
When using RSA keys, I don't get the initial ticket, and can't therefor
get the AFS token either... :(
--
ammunition Waco, Texas toluene bomb $400 million in gold bullion jihad
Legion of Doom Ft. Bragg [Hello to all my fans in domestic
surveillance] Ft. Meade NSA BATF FBI nitrate nuclear
[See http://www.aclu.org/echelonwatch/index.html for more about this]