[OpenAFS] Home directory in AFS
Turbo Fredriksson
turbo@bayour.com
23 Apr 2002 07:59:34 +0200
>>>>> "Charles" == Charles Clancy <security@xauth.net> writes:
Turbo> So just configure pam_mkhomedir to recognize a KerberosV
Turbo> keytab, do the 'kinit', then the 'aklog' (both with propper
Turbo> options) equivalences in C.
>>
Charles> For the 3rd or 4th time, this is a BAD IDEA.
>> That's YOUR opinion. You have yet to PROVE and/or give a GOOD
>> example/reason for why this is a bad idea.
Charles> I apologize for the tone of my last response. I'm just
Charles> frustrated.
LOL. You have no reason to apologise. You are (quite) obviously more
knowledgeable than me here (question is, am I more knowledgeable than
ANYONE in this regard!? :).
It's just my refusal to 'trust' anyone that say "don't do that, it's bad".
The officers had the same problem with me, when I did my (mandatory)
military service :)
This is something I know I have to work with, and luckily I'm starting
to forget how I was when I was a teen :)
Charles> In my experience, one of the main benefits of AFS is its
Charles> security, the other being performance.
It's because of the (claimed) security I started to investigate it in
the first place. It was the 'key tabs on each server is bad' that made
me comply to the AFS ways. THAT problems is something I can understand
and accept.
Charles> If you feel you can adequately protect that keytab file,
Charles> then your method would certainly work. I just want to
Charles> make sure you realize the implications of that keytab
Charles> being compromised.
I was about to give some other example that might work, but I decided
not to. I will follow the advice I got previously, trying to it the
AFS way, and if/when i understand it more, I'll get back on the
subject.
Turbo> This is a bummer. Is it possible to only backup the ACL
Turbo> information, without taking the data?
Charles> Nope.
Turbo> I'm not convinced. Care to elaborate
Charles> Your method for obtaining the ACL information would work,
Charles> but seems overly complicated. Depending on your backup
Charles> setup, you could "vos dump" your volumes into files (did
Charles> we convince you 1 volume per user was a good idea?)
That you did. I also discovered that I can specify WHERE (on which
/vicepX partition) to create the volume, so I get 'my' way anyway.
I misunderstood some parts of the volume issue 'a little' :)
Charles> and then backup those files using your normal backup
Charles> system. In that case, you'd save your ACL information.
Now, THAT is a good idea. Do the dump to a file, and then back that
up with AFBackup... At least if I can't get my regular backup system
and the AFS backup system to work together (on the same physical tape).
Charles> I'll try to refrain from calling you names. :)
No, please don't. If I'm OVERLY stupid, then I deserve it :) But
be so kind to explain your reasons. I don't know this subject
at all (or at least very little), and what's obvious to you, isn't
to me...
--
president subway Clinton AK-47 explosion domestic disruption smuggle
Panama spy PLO Ortega Legion of Doom cracking Saddam Hussein Nazi
[See http://www.aclu.org/echelonwatch/index.html for more about this]