[OpenAFS] Home directory in AFS
Derek Atkins
derek@ihtfp.com
20 Apr 2002 10:58:17 -0400
Turbo Fredriksson <turbo@bayour.com> writes:
> >>>>> "Derek" == Derek Atkins <derek@ihtfp.com> writes:
>
> Derek> This doesn't help. What are your AFS permissions? What do
> Derek> you get from: fs la /afs/bayour.com/user/
>
> Sorry, I'm still learning AFS :)
Yea. I highly recommend you go read the AFS Intro Guide, or hire
someone to come teach you basic AFS stuff.
> ----- s n i p -----
> [papadoc.pts/8]$ fs la /afs/bayour.com/user/
> Access list for /afs/bayour.com/user/ is
> Normal rights:
> system:administrators rlidwka
> system:anyuser rl
> ----- s n i p -----
>
> Exactly (!) the same rights for '.../turbo' and '.../frans'. In my
> home-to-be, I can write, because I (turbo) is in the 'administrators'
> group.
When you run "mkdir" in AFS, the new directory takes the ACL of the
parent. You can change the ACL by using "fs setacl"; in order to do
this you need to:
a) have 'a'dmin permission on the directory, or
b) own the volume, or
c) be a member of system:administrator
When you create a new volume, you can set the user to own the volume,
so they have implicit 'a' access on all its contents. Then you can
specifically setacl the top-level to:
fs setacl /afs/bayour.com/user/<username> <username> all \
system:anyuser rl -clear
This will set the acl so that:
a) the user has full access
b) system:anyuser had 'r'ead and 'l'ist capabilities
> Home directories and User accounts are two separate issues... I can't
> think of ANY attack, exept 'tempfile rase conditions' (?)
Why do you think they are separate? A home directory is very much
tied to a user account. It's not like you're going to have a
_different_ home directory on _each_ machine, especially with AFS.
Don't you want to supply some default dotfiles, for instance?
> Derek> How do you provision LDAP with a user's account
> Derek> information? How do you provision Kerberos with their
> Derek> password? However you do it, at that time you should
> Derek> create their AFS homedirectory:
>
> LibNSS-LDAP/LibPAM-LDAP. Same way that I whould have done it if I where
> running NIS/NIS+. I tell the NSS system that I should look in LDAP for
> hosts, users, groups etc...
You didn't answer my question. How do you get the user account
information _INTO_ LDAP?
> Same way I do it now, in non-AFS space. ALL users share a 8Gb disk (my
> old 36Gb crashed, this is the temporary disk). IF I run out, I add
> a new disk (either using LVM or do Linear RAID). Both can be done more
> or less on a runtime basis (as long as no users is logged in :).
There are sites out there that are running multiple Terrabytes of data
in AFS. There is NO WAY that could be managed as a single volume on a
single partition on a single machine!
> Derek> Kerberos (for user Authentication)
> Derek> LDAP (for user LOGIN information)
> Derek> PTServer (for AFS User/Group entries)
>
> Derek> Yes, this is a duplication of data. No, there is no way to
> Derek> have PTServer look at LDAP. Yes, you can programatically
> Derek> get LDAP to feed data to PTServer. No, I do not have the
> Derek> code to do this.
>
> If we talk theory here (I asume you know the inner workings of the
> AFS daemons), would it be possible to 'remove' the PTServer, and have
> whatever software that talks to it, talk to a SLAPD/KDC instead to get
> the information needed?
No.
As I said, the KDC replaces the KAServer. So, since you're running
MIT Kerberos you can replace (not run) the AFS KAServer. However, the
PTServer is a different animal, and you cannot use LDAP in lieu.
> I know this is a FAQ/HOWTO, but the AFS documentation is _HUGE_ (!!!),
> and I just don't have the mental strength (I'm also lazy :) to read it
> from top to bottom. How is a user added to the PTServer?
pts createuser
(run 'pts help' for complete list of commands)
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com