[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
22 Apr 2002 10:16:08 +0200 

>>>>> "Charles" == Charles Clancy <security@xauth.net> writes:

    Turbo> So just configure pam_mkhomedir to recognize a KerberosV
    Turbo> keytab, do the 'kinit', then the 'aklog' (both with propper
    Turbo> options) equivalences in C.

    Charles> For the 3rd or 4th time, this is a BAD IDEA.

That's YOUR opinion. You have yet to PROVE and/or give a GOOD example/reason
for why this is a bad idea. All you manage to do is call me names.

    Charles> If you're
    Charles> going to put admin keytabs on all your workstations, just
    Charles> USE NFS.  It would be MUCH more secure.  Your trying to
    Charles> turn AFS into something it's not.

Perhaps. I've always succeeded making software designed to do one thing,
do the things _I_ want it to do. Usually by 'adding some random bits of
code' :)

    Turbo> The thing is, CURRENTLY OpenLDAP (v2.0) can't store the
    Turbo> Kerberos/GSSAPI credentials in database, but the next version
    Turbo> is rumored to have that possibility.  ...  That is _ONE_ place
    Turbo> to do modifications/additions/deletions of users!! This was
    Turbo> originaly the _ONLY_ (and later PRIMARILY) reason to have LDAP.

    Charles> Maybe you could keep all your files in LDAP too.

Try refraining from looking stupid next time please.

    Turbo> When I added kerberos functionality (the reason for THAT was so
    Turbo> that I didn't have to put the password for LDAP replication in
    Turbo> cleartext, later crypted, in the config file).

    Charles> But by using a keytab, you're putting cleartext passwords
    Charles> on ALL your workstations!!

NOW you're talking! Luckily theory and practise differs a little, and it's
not EXACTLY as bad as enter the clear text password in a world readable
file on disk. Close, but not quite...

Unfortunately I don't know any other way to get around this.

    Turbo> So having the pam_mkhomedir is ESSENTIAL for this to work
    Turbo> properly. Fine, hard work. I don't mind :) In theory it's not
    Turbo> THAT hard, but we all know that theory and practise differs :)

    Charles> Umm... why can't you create a home directory from this
    Charles> web interface?  At least you'd only have to put a keytab
    Charles> on one machine.

It seems like I have to. I had just gotten used to the functionality
that pam_mkhomedir gave me, so i didn't have to bother with the homedir
until the user actually logged in, not wasting any space if it wasn't
used.

    Turbo> This is a bummer. Is it possible to only backup the ACL
    Turbo> information, without taking the data?

    Charles> Nope.

I'm not convinced. Care to elaborate (WITHOUT calling me names this
time)?

    Turbo> Not knowing quite what I'm talking about, this should be
    Turbo> possible by using 'fs la' in a recursive loop under each
    Turbo> volume, parse the info, and create a restore script that
    Turbo> restores the ACL info... This script is created BEFORE the
    Turbo> backup of the AFS volume takes place, and is backed up WITH the
    Turbo> volume data.

    Charles> Wow.  Use NFS.

NFS sucks.

    Charles> I apologize if my comments are a bit sardonic.  If you're
    Charles> going to ignore our advise, don't ask for it.

I have no big problem with this. As long as I get INTELLIGENT and real
reasons why something is bad, fine.  Just calling me names isn't going
to help.

Yes, I'm much like you, but those times I've been 'sardonic' (I've
actually been worse) is when it clearly is in the FAQ/HOWTO. In this
case (OpenAFS/AFS in general) the manual is 6-700 pages long! I just
can't read that much without straining a vessel :)

    Charles> In my opinion, you are completely missing the point of AFS.

Very possible. Maybe I want something more, maybe something less. If it
"won't do my bidding"  then I'll try to MAKE it so that it does.

I still think that the 'pam_mkhomedir' module would be nice to have, added
the needed functionality.

    Charles> From everything you've said, I strongly suggest you stick
    Charles> with NFS.  It would be more appropriate for your
    Charles> environment.

I have. NFS gave me more problem than it was worth, I need something
completely different. And I might even USE NFS in some areas, but 
I first going to explore the 'whole' (at least as much as I have
to to understand it enough) AFS business.
-- 
cryptographic security killed toluene Kennedy Semtex World Trade
Center jihad counter-intelligence Honduras assassination subway $400
million in gold bullion Ft. Meade [Hello to all my fans in domestic
surveillance]
[See http://www.aclu.org/echelonwatch/index.html for more about this]