[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
20 Apr 2002 11:48:46 +0200 

>>>>> "Derek" == Derek Atkins <warlord@MIT.EDU> writes:

    Derek> This doesn't help.  What are your AFS permissions?  What do
    Derek> you get from: fs la /afs/bayour.com/user/

Sorry, I'm still learning AFS :)

----- s n i p -----
[papadoc.pts/8]$ fs la /afs/bayour.com/user/
Access list for /afs/bayour.com/user/ is
Normal rights:
  system:administrators rlidwka
  system:anyuser rl
----- s n i p -----

Exactly (!) the same rights for '.../turbo' and '.../frans'. In my
home-to-be, I can write, because I (turbo) is in the 'administrators'
group.

    Charles> You're letting someone with now AFS token create
    Charles> directories in AFS space?
    Turbo>  Yes (?). How else would homedirs be automatically created (a
    Turbo> nessecity in my opinion).

    Derek> Are you crazy, or just unaware of the security
    Derek> implications?  Since AFS is a global file system, you are
    Derek> leaving yourself open to a wide range of attacks.  Do you
    Derek> allow users to create their own accounts?

Home directories and User accounts are two separate issues... I can't
think of ANY attack, exept 'tempfile rase conditions' (?)

    Derek> How   do  you   provision  LDAP   with  a   user's  account
    Derek> information?   How  do you  provision  Kerberos with  their
    Derek> password?   However you  do  it, at  that  time you  should
    Derek> create their AFS homedirectory:

LibNSS-LDAP/LibPAM-LDAP. Same way that I whould have done it if I where
running NIS/NIS+. I tell the NSS system that I should look in LDAP for
hosts, users, groups etc...

    Derek> but a volume MUST be stored on a single partition.  If you
    Derek> have all your users under /afs/bayour.com/user, in the
    Derek> "user" volume, then that volume must be on a single
    Derek> partition!  On the other hand, if each user has their own
    Derek> volume, you can move them individually to balance your disk
    Derek> usage.

Same way I do it now, in non-AFS space. ALL users share a 8Gb disk (my
old 36Gb crashed, this is the temporary disk). IF I run out, I add
a new disk (either using LVM or do Linear RAID). Both can be done more
or less on a runtime basis (as long as no users is logged in :).

    Derek> Kerberos     (for user Authentication)
    Derek> LDAP         (for user LOGIN information)
    Derek> PTServer     (for AFS User/Group entries)

    Derek> Yes, this is a duplication of data.  No, there is no way to
    Derek> have PTServer look at LDAP.  Yes, you can programatically
    Derek> get LDAP to feed data to PTServer.  No, I do not have the
    Derek> code to do this.

If we talk theory here (I asume you know the inner workings of the
AFS daemons), would it be possible to 'remove' the PTServer, and have
whatever software that talks to it, talk to a SLAPD/KDC instead to get
the information needed?



I know this is a FAQ/HOWTO, but the AFS documentation is _HUGE_ (!!!),
and I just don't have the mental strength (I'm also lazy :) to read it
from top to bottom. How is a user added to the PTServer?
-- 
NSA Cuba critical KGB Waco, Texas 747 counter-intelligence security
Treasury congress ammunition terrorist SDI Panama tritium
[See http://www.aclu.org/echelonwatch/index.html for more about this]