[OpenAFS] Home directory in AFS

Derek Atkins warlord@MIT.EDU
19 Apr 2002 14:29:38 -0400


Turbo Fredriksson <turbo@bayour.com> writes:

>     Charles> What are the permissions on /afs/bayour.com/user?
> 
> [papadoc.pts/8]$ ls -ld /afs/bayour.com/user
> drwxrwxrwx    4 root     root         2048 Apr 19 14:23 /afs/bayour.com/user/

This doesn't help.  What are your AFS permissions?  What do you get
from:
        fs la /afs/bayour.com/user/

>     Charles> You're  letting   someone  with  now   AFS  token  create
>     Charles> directories in AFS space?
> 
> Yes (?). How else would homedirs be automatically created (a nessecity
> in my opinion).

Are you crazy, or just unaware of the security implications?  Since
AFS is a global file system, you are leaving yourself open to a wide
range of attacks.  Do you allow users to create their own accounts?
How do you provision LDAP with a user's account information?  How do
you provision Kerberos with their password?  However you do it, at
that time you should create their AFS homedirectory:

        vos create <server> <partition> user.<username>
        fs mkm /afs/.bayour.com/user/<username> user.<username>
        vos release user

> How would separate volumes / user be more scalable? If I say '50Mb/user',
> then _I'M_ screwed, my homedir is roughly 2Gb...

It's more scalable because you can only move volumes to different
servers.  You can set volume quotas to infinite, but a volume MUST be
stored on a single partition.  If you have all your users under
/afs/bayour.com/user, in the "user" volume, then that volume must be
on a single partition!  On the other hand, if each user has their own
volume, you can move them individually to balance your disk usage.

To repeat: do CAN set quotas to be infinite.

> Que? I get a token, yes? That's what's happening now (in /etc/profile).
> 
> Is there no way that the "OpenAFS protection server" can be the "MIT
> Kerberos V KDC" (or at least be told to look there)?

The protection server != the authentication server.  Yes, you get a
token -- that's the AUTHENTICATION, which is Kerberos.  The PROTECTION
(PT) server is where all your user and group identification exists.
This is how you map from Kerberos Principal (e.g. "turbo@bayour.com")
to AFS User ID and GroupList.

> It's just a database. Kerberos on the other hand was DESIGNED (from the
> ground up) to be used in (on?) insecure networks...
> 
> And OpenAFS themselfs recomend to use (MIT) Kerberos V instead of the builtin
> auth system...

Right.  But that is not sufficient for what you want to do.

What you need is:

        Kerberos (for user Authentication)
        LDAP (for user LOGIN information)
        PTServer (for AFS User/Group entries)

Yes, this is a duplication of data.  No, there is no way to have
PTServer look at LDAP.  Yes, you can programatically get LDAP to feed
data to PTServer.  No, I do not have the code to do this.

There is no other way.  AFS depends on PTServer, and _will NOT work_
without it.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available