[OpenAFS] Home directory in AFS

[Charles Clancy]

>     Derek> To answer your other question: yes, AFS users _MUST_ exist
>     Derek> in the PTServer database in order to obtain AFS tokens.
>
> Dang! One more place to add users to... :(

Well, you should just need to add them once.  There's no further
syncronization problems.

>     Derek> One thing I am confused about is: how does the PAM module
>     Derek> have the ability to create a new volume in AFS?  Similarly,
>     Derek> if it can, why not just set the AFS acl?
>
> From what I know, it can't/don't. The 'pam_mkhomedir' module creates
> DIRECTORIES, not VOLUMES...

Right -- which is why it's even MORE unsuited for the task than you could
possibly imagine.

> I have all my users on ONE volume 'user'. I got a reply earlier (see
> earlier mail's on the thread) that it should be more scalable if every
> user had their own volume, but "I'm a sceptic" :)

Pam_mkhomedir works in a non-AFS environment because it runs as root,
before the user actually logs in.  It therefore has access to create
directories in "/home".  However, running as root, this module wouldn't
have admin access to AFS such that it could create directories (or
volumes!).  Any such arrangement where it did have access to create
directories and volumes would have grave security implications.

As far as "one-volume-per-home-directory":
1. You can specify different quotas for different users
2. Each user's backup volume is independent -- so when doing a restore
from tape, you don't have to restore all X GB of data, when the user's
homedir is only 10 MB.
3. If you want to move a user's volume to a different server (perhaps one
on their network, so it's faster), you can do that.
4. If something happens to the volume "all your eggs aren't in 1 basket".
and many more...

The only conceivable reason for keeping them all on one volume would be
for your PAM module to work -- but it won't work anyway, so there are no
conceivable reasons.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]