| 1 | #!/bin/bash -ex |
| 2 | |
| 3 | # MUST be executed: |
| 4 | # - on deleuze |
| 5 | # - as a user with an /etc/sudoers line |
| 6 | # - member of wheel unix group |
| 7 | # - while holding tickets for a user who can 'ssh -K' to mire |
| 8 | # - while holding tokens for a user who is: |
| 9 | # - a member of system:administrator |
| 10 | # - listed in 'bos listusers deleuze' |
| 11 | |
| 12 | USER=$1 |
| 13 | |
| 14 | if test -z "$USER"; then |
| 15 | echo "Invoke as create-user <USERNAME>" |
| 16 | exit 1 |
| 17 | fi |
| 18 | |
| 19 | |
| 20 | # |
| 21 | # Kerberos principals |
| 22 | # (creat kerberos principals: fred, fred/cgi, fred/mailfilter) |
| 23 | # |
| 24 | |
| 25 | # We use -randkey for user's main principal as well, to make sure that |
| 26 | # the creation process does not continue without having a main |
| 27 | # principal. (But you who want to set password for a user, don't |
| 28 | # worry - we'll invoke cpw later, so that it has the same effect |
| 29 | # as setting password right now - while it is more error tolerant). |
| 30 | |
| 31 | sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" |
| 32 | sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET" |
| 33 | sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET" |
| 34 | |
| 35 | # |
| 36 | # Create AFS users corresponding to krb5 principals. |
| 37 | # (fred/cgi principal == fred.cgi AFS user) |
| 38 | # |
| 39 | |
| 40 | pts cu $USER || true |
| 41 | ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 42 | pts cu $USER.mailfilter $ID_MF || true |
| 43 | ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 44 | pts cu $USER.cgi || true |
| 45 | ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` |
| 46 | |
| 47 | |
| 48 | # |
| 49 | # Construct various paths for later perusal. |
| 50 | # |
| 51 | |
| 52 | # (If it's not clear, for user fred, PATHBITS = f/fr/fred) |
| 53 | PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER |
| 54 | HOMEPATH=/afs/hcoop.net/user/$PATHBITS |
| 55 | MAILPATH=/afs/hcoop.net/common/email/$PATHBITS |
| 56 | DBPATH=/afs/hcoop.net/common/databases/$PATHBITS |
| 57 | PGDIR=$DBPATH/postgres |
| 58 | MYSQLDIR=$DBPATH/mysql |
| 59 | |
| 60 | |
| 61 | # |
| 62 | # Create LDAP entries. (With the whole libnss-ptdb, I kind of |
| 63 | # lost the idea of what I want to do with LDAP, but we'll |
| 64 | # see with time how well it integrates...) |
| 65 | # The ID returned from AFS is important here, we want to make |
| 66 | # sure those IDs match. |
| 67 | # |
| 68 | |
| 69 | # USER entry |
| 70 | echo " |
| 71 | dn: uid=$USER,ou=People,dc=hcoop,dc=net |
| 72 | objectClass: top |
| 73 | objectClass: person |
| 74 | objectClass: posixAccount |
| 75 | cn: $USER |
| 76 | uid: $USER |
| 77 | gidNumber: $ID |
| 78 | sn: $USER |
| 79 | host: abulafia |
| 80 | host: mire |
| 81 | |
| 82 | dn: cn=$USER,ou=Group,dc=hcoop,dc=net |
| 83 | objectClass: top |
| 84 | objectClass: posixGroup |
| 85 | cn: $USER |
| 86 | gidNumber: $ID |
| 87 | memberUid: $USER |
| 88 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 89 | |
| 90 | # USER.mailfilter entry |
| 91 | echo " |
| 92 | dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net |
| 93 | objectClass: top |
| 94 | objectClass: person |
| 95 | objectClass: posixAccount |
| 96 | cn: $USER.mailfilter |
| 97 | uid: $USER.mailfilter |
| 98 | gidNumber: $ID_MF |
| 99 | sn: $USER.mailfilter |
| 100 | |
| 101 | dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net |
| 102 | objectClass: top |
| 103 | objectClass: posixGroup |
| 104 | cn: $USER.mailfilter |
| 105 | gidNumber: $ID_MF |
| 106 | memberUid: $USER.mailfilter |
| 107 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 108 | |
| 109 | # USER.cgi entry |
| 110 | echo " |
| 111 | dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net |
| 112 | objectClass: top |
| 113 | objectClass: person |
| 114 | objectClass: posixAccount |
| 115 | cn: $USER.cgi |
| 116 | uid: $USER.cgi |
| 117 | gidNumber: $ID_CGI |
| 118 | sn: $USER.cgi |
| 119 | |
| 120 | dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net |
| 121 | objectClass: top |
| 122 | objectClass: posixGroup |
| 123 | cn: $USER.cgi |
| 124 | gidNumber: $ID_CGI |
| 125 | memberUid: $USER.cgi |
| 126 | " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true |
| 127 | |
| 128 | |
| 129 | # |
| 130 | # Export .mailfilter and .cgi keys to a keytab file |
| 131 | # |
| 132 | |
| 133 | # create a mailfilter keytab (used by /etc/exim4/get-token) |
| 134 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET" |
| 135 | |
| 136 | # create a cgi keytab |
| 137 | sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET" |
| 138 | |
| 139 | # Properly chown/mod keytab files (www-data must own the cgi keytab) |
| 140 | sudo chown www-data:wheel /etc/keytabs/cgi/$USER |
| 141 | sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER |
| 142 | sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER |
| 143 | |
| 144 | # rsync keytabs to mire |
| 145 | rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER |
| 146 | |
| 147 | # |
| 148 | # Create/mount/set-perms on user's volumes (home, mail, databases, logs) |
| 149 | # |
| 150 | |
| 151 | # HOME VOLUME |
| 152 | vos examine user.$USER 2>/dev/null || \ |
| 153 | vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 |
| 154 | mkdir -p `dirname $HOMEPATH` |
| 155 | fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER |
| 156 | chown $USER $HOMEPATH |
| 157 | fs sa $HOMEPATH $USER all |
| 158 | fs sa $HOMEPATH system:anyuser rl |
| 159 | |
| 160 | # Apache logs |
| 161 | mkdir -p $HOMEPATH/logs/apache |
| 162 | fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk |
| 163 | |
| 164 | # public_html |
| 165 | mkdir -p $HOMEPATH/public_html/ |
| 166 | fs sa $HOMEPATH/public_html system:anyuser rl |
| 167 | mkdir -p $HOMEPATH/.procmail.d/ |
| 168 | fs sa $HOMEPATH/.procmail.d/ system:anyuser rl |
| 169 | |
| 170 | # MAIL VOLUME |
| 171 | vos examine mail.$USER 2>/dev/null || \ |
| 172 | vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000 |
| 173 | mkdir -p `dirname $MAILPATH` |
| 174 | fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER |
| 175 | fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER |
| 176 | fs sa $MAILPATH $USER all |
| 177 | fs sa $MAILPATH $USER.mailfilter all |
| 178 | |
| 179 | # DATABASE VOLUME |
| 180 | if ! vos examine db.$USER >/dev/null 2>/dev/null; then |
| 181 | mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS` |
| 182 | vos create -server afs -partition a -name db.$USER -maxquota 400000 |
| 183 | fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw |
| 184 | vos release common.databases |
| 185 | fs sa -dir $DBPATH -acl system:postgres l |
| 186 | fs sa -dir $DBPATH -acl system:mysql l |
| 187 | fs sa -dir $DBPATH -acl system:backup rl |
| 188 | fi |
| 189 | |
| 190 | # Create postgres user and tablespace placeholder within volume |
| 191 | if ! [ -d $PGDIR ]; then |
| 192 | mkdir -p $PGDIR |
| 193 | chown postgres:postgres $PGDIR |
| 194 | fs sa -dir $PGDIR -acl system:postgres write |
| 195 | |
| 196 | sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1 |
| 197 | fi |
| 198 | |
| 199 | # Create mysql user and databases placeholder within volume |
| 200 | mkdir -p $MYSQLDIR |
| 201 | chown mysql:mysql $MYSQLDIR |
| 202 | fs sa -dir $MYSQLDIR -acl system:mysql write |
| 203 | |
| 204 | |
| 205 | # |
| 206 | # Mount points for backup volumes |
| 207 | # |
| 208 | |
| 209 | mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS` |
| 210 | mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS` |
| 211 | fs ls /afs/hcoop.net/old/user/$PATHBITS || \ |
| 212 | fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup |
| 213 | fs ls /afs/hcoop.net/old/mail/$PATHBITS || \ |
| 214 | fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup |
| 215 | |
| 216 | # technically this might not be necessary, but for good measure... |
| 217 | vos syncserv deleuze |
| 218 | vos syncvldb deleuze |
| 219 | |
| 220 | # refresh volume location cache (takes ~2hrs otherwise) |
| 221 | fs checkvolumes |
| 222 | ssh mire.hcoop.net fs checkvolumes |
| 223 | |
| 224 | # |
| 225 | # Finally, set password for main user's principal |
| 226 | # Aborting this operation is harmless. Just re-invoke cpw. |
| 227 | # |
| 228 | # kadmin.local doesn't report errors properly, so we have to |
| 229 | # check manually |
| 230 | # |
| 231 | sudo rm -f /tmp/kadmin.out |
| 232 | sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \ |
| 233 | 2>&1 | tee /tmp/kadmin.out |
| 234 | cat /tmp/kadmin.out | grep 'Password for .* changed' |
| 235 | sudo rm -f /tmp/kadmin.out |
| 236 | |