[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
19 Apr 2002 19:42:02 +0200 

>>>>> "Charles" == Charles Clancy <security@xauth.net> writes:

    >> > The directory '/afs/bayour.com/user/turbo' is my >
    >> home-to-be.

    Charles> What are the permissions on /afs/bayour.com/user?

[papadoc.pts/8]$ ls -ld /afs/bayour.com/user
drwxrwxrwx    4 root     root         2048 Apr 19 14:23 /afs/bayour.com/user/

    Charles> You're  letting   someone  with  now   AFS  token  create
    Charles> directories in AFS space?

Yes (?). How else would homedirs be automatically created (a nessecity
in my opinion).

    Charles> In general, each user normally has their own
    Charles> volume for their home directory.  Your model does not
    Charles> seem scalable.

How would separate volumes / user be more scalable? If I say '50Mb/user',
then _I'M_ screwed, my homedir is roughly 2Gb...

    >> > Now, if I'm remembering correctly from the list, I probably
    >> have to > add 'frans' to the OpenAFS user database as well. But
    >> is there ANY way > that I can get away NOT doing this?!? I
    >> already have TWO databases > for the users, and one more
    >> irritates me :)

    Charles> You definitely need to add users to OpenAFS's protection
    Charles> server.  Otherwise they will never be able to access AFS
    Charles> space as an authenticated user.  Aklog can do this
    Charles> automatically.

Que? I get a token, yes? That's what's happening now (in /etc/profile).

Is there no way that the "OpenAFS protection server" can be the "MIT
Kerberos V KDC" (or at least be told to look there)?

    Charles> Why are you using LDAP?!

Because I think NIS sucks (BIG TIME)...

    Charles> It seems like you're just
    Charles> adding an extra step to make things more complicated.

    Charles> You obviously need some sort of name service for a
    Charles> network of this nature, which LDAP can certainly do for
    Charles> you, but why kerberize it?

Because LDAP wasn't designed to be 'secure'. It's a directory database,
it have no provisions for secure authentication, connections and communications.

It's just a database. Kerberos on the other hand was DESIGNED (from the
ground up) to be used in (on?) insecure networks...

And OpenAFS themselfs recomend to use (MIT) Kerberos V instead of the builtin
auth system...
-- 
World Trade Center Delta Force subway assassination Cocaine kibo
colonel Cuba security counter-intelligence ammonium ammunition SDI
tritium Marxist
[See http://www.aclu.org/echelonwatch/index.html for more about this]