[OpenAFS] Home directory in AFS

Turbo Fredriksson turbo@bayour.com
23 Apr 2002 07:59:34 +0200 

>>>>> "Charles" == Charles Clancy <security@xauth.net> writes:

    Turbo> So just configure pam_mkhomedir to recognize a KerberosV
    Turbo> keytab, do the 'kinit', then the 'aklog' (both with propper
    Turbo> options) equivalences in C.
    >>
    Charles> For the 3rd or 4th time, this is a BAD IDEA.
    >>  That's YOUR opinion. You have yet to PROVE and/or give a GOOD
    >> example/reason for why this is a bad idea.

    Charles> I apologize for the tone of my last response.  I'm just
    Charles> frustrated.

LOL. You have no reason to apologise. You are (quite) obviously more
knowledgeable than me here (question is, am I more knowledgeable than
ANYONE in this regard!? :).

It's just my refusal to 'trust' anyone that say "don't do that, it's bad".
The officers had the same problem with me, when I did my (mandatory)
military service :)

This is something I know I have to work with, and luckily I'm starting
to forget how I was when I was a teen :)

    Charles> In my experience, one of the main benefits of AFS is its
    Charles> security, the other being performance.

It's because of the (claimed) security I started to investigate it in
the first place. It was the 'key tabs on each server is bad' that made
me comply to the AFS ways. THAT problems is something I can understand
and accept.

    Charles> If you feel you can adequately protect that keytab file,
    Charles> then your method would certainly work.  I just want to
    Charles> make sure you realize the implications of that keytab
    Charles> being compromised.

I was about to give some other example that might work, but I decided
not to. I will follow the advice I got previously, trying to it the
AFS way, and if/when i understand it more, I'll get back on the
subject.

    Turbo> This is a bummer. Is it possible to only backup the ACL
    Turbo> information, without taking the data?
    Charles> Nope.
    Turbo>  I'm not convinced. Care to elaborate

    Charles> Your method for obtaining the ACL information would work,
    Charles> but seems overly complicated.  Depending on your backup
    Charles> setup, you could "vos dump" your volumes into files (did
    Charles> we convince you 1 volume per user was a good idea?)

That you did. I also discovered that I can specify WHERE (on which
/vicepX partition) to create the volume, so I get 'my' way anyway.
I misunderstood some parts of the volume issue 'a little' :)

    Charles> and  then backup  those  files using  your normal  backup
    Charles> system.  In that case, you'd save your ACL information.

Now, THAT is a good idea. Do the dump to a file, and then back that
up with AFBackup... At least if I can't get my regular backup system
and the AFS backup system to work together (on the same physical tape).

    Charles> I'll try to refrain from calling you names. :)

No, please don't. If I'm OVERLY stupid, then I deserve it :) But
be so kind to explain your reasons. I don't know this subject
at all (or at least very little), and what's obvious to you, isn't
to me...

-- 
president subway Clinton AK-47 explosion domestic disruption smuggle
Panama spy PLO Ortega Legion of Doom cracking Saddam Hussein Nazi
[See http://www.aclu.org/echelonwatch/index.html for more about this]