[OpenAFS] Home directory in AFS

Charles Clancy security@xauth.net
Sun, 21 Apr 2002 04:10:19 -0500 (CDT)


> This should be quite easy to do, even in a secure manner..
>
> I use the way described in 'http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbcron'
> to have my master LDAP server replicate to it's slave.
>
> So just configure pam_mkhomedir to recognize a KerberosV keytab, do the
> 'kinit', then the 'aklog' (both with propper options) equivalences in C.

For the 3rd or 4th time, this is a BAD IDEA.  If you're going to put admin
keytabs on all your workstations, just USE NFS.  It would be MUCH more
secure.  Your trying to turn AFS into something it's not.

> Yes, this is easier for ME, but _IF_ I modify the pam_mkhomedir, others
> will be able to benefit, and have a easier

No sane person would ever want to do this; therefore no one else would
ever benefit.

> The thing is, CURRENTLY OpenLDAP (v2.0) can't store the Kerberos/GSSAPI
> credentials in database, but the next version is rumored to have that
> possibility.
> ...
> That is _ONE_ place to do modifications/additions/deletions of users!! This
> was originaly the _ONLY_ (and later PRIMARILY) reason to have LDAP.

Maybe you could keep all your files in LDAP too.

> When I added kerberos functionality (the reason for THAT was so that I didn't
> have to put the password for LDAP replication in cleartext, later crypted,
> in the config file).

But by using a keytab, you're putting cleartext passwords on ALL your
workstations!!

> With this I want to say that  having _ONE_ place for user modifications
> is the _PRIMARY_ goal for me. And this HAVE to be possible through a web
> page. I'm implementing this kind of system on quite a number of system,
> out of my control, and where the USER want to have the control, but don't
> have the knowledge...
>
> So having the pam_mkhomedir is ESSENTIAL for this to work properly. Fine,
> hard work. I don't mind :) In theory it's not THAT hard, but we all know
> that theory and practise differs :)

Umm... why can't you create a home directory from this web interface?  At
least you'd only have to put a keytab on one machine.

> This is a bummer. Is it possible to only backup the ACL information, without
> taking the data?

Nope.

> Not knowing quite  what I'm talking about, this  should be possible by
> using 'fs la'  in a recursive loop under each  volume, parse the info,
> and create a restore script  that restores the ACL info... This script
> is created BEFORE the backup of the AFS volume takes place, and is backed
> up WITH the volume data.

Wow.  Use NFS.

I apologize if my comments are a bit sardonic.  If you're going to ignore
our advise, don't ask for it.  In my opinion, you are completely missing
the point of AFS.  From everything you've said, I strongly suggest you
stick with NFS.  It would be more appropriate for your environment.

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]
[  crypto  ][  coordinated science lab  ][  university of illinois  ]