HCoop / clinton / scripts.git / blob
? search:


377448c05f9da791dcd6d35c7283caa2c55ae7f7
[clinton/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of wheel unix group
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - while holding tokens for a user who is:
9 # - a member of system:administrator
10 # - listed in 'bos listusers deleuze'
11
12 USER=$1
13
14 if test -z "$USER"; then
15 echo "Invoke as create-user <USERNAME>"
16 exit 1
17 fi
18
19
20 #
21 # Kerberos principals
22 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
23 #
24
25 # We use -randkey for user's main principal as well, to make sure that
26 # the creation process does not continue without having a main
27 # principal. (But you who want to set password for a user, don't
28 # worry - we'll invoke cpw later, so that it has the same effect
29 # as setting password right now - while it is more error tolerant).
30
31 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
32 sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET"
33 sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET"
34
35 #
36 # Create AFS users corresponding to krb5 principals.
37 # (fred/cgi principal == fred.cgi AFS user)
38 #
39
40 pts cu $USER || true
41 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
42 pts cu $USER.mailfilter $ID_MF || true
43 ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
44 pts cu $USER.cgi || true
45 ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
46
47
48 #
49 # Construct various paths for later perusal.
50 #
51
52 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
53 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
54 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
55 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
56 DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
57 PGDIR=$DBPATH/postgres
58 MYSQLDIR=$DBPATH/mysql
59
60
61 #
62 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
63 # lost the idea of what I want to do with LDAP, but we'll
64 # see with time how well it integrates...)
65 # The ID returned from AFS is important here, we want to make
66 # sure those IDs match.
67 #
68
69 # USER entry
70 echo "
71 dn: uid=$USER,ou=People,dc=hcoop,dc=net
72 objectClass: top
73 objectClass: person
74 objectClass: posixAccount
75 cn: $USER
76 uid: $USER
77 gidNumber: $ID
78 sn: $USER
79 host: abulafia
80 host: mire
81
82 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
83 objectClass: top
84 objectClass: posixGroup
85 cn: $USER
86 gidNumber: $ID
87 memberUid: $USER
88 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
89
90 # USER.mailfilter entry
91 echo "
92 dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
93 objectClass: top
94 objectClass: person
95 objectClass: posixAccount
96 cn: $USER.mailfilter
97 uid: $USER.mailfilter
98 gidNumber: $ID_MF
99 sn: $USER.mailfilter
100
101 dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
102 objectClass: top
103 objectClass: posixGroup
104 cn: $USER.mailfilter
105 gidNumber: $ID_MF
106 memberUid: $USER.mailfilter
107 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
108
109 # USER.cgi entry
110 echo "
111 dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
112 objectClass: top
113 objectClass: person
114 objectClass: posixAccount
115 cn: $USER.cgi
116 uid: $USER.cgi
117 gidNumber: $ID_CGI
118 sn: $USER.cgi
119
120 dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
121 objectClass: top
122 objectClass: posixGroup
123 cn: $USER.cgi
124 gidNumber: $ID_CGI
125 memberUid: $USER.cgi
126 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
127
128
129 #
130 # Export .mailfilter and .cgi keys to a keytab file
131 #
132
133 # create a mailfilter keytab (used by /etc/exim4/get-token)
134 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
135
136 # create a cgi keytab
137 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
138
139 # Properly chown/mod keytab files (www-data must own the cgi keytab)
140 sudo chown www-data:wheel /etc/keytabs/cgi/$USER
141 sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
142 sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
143
144 # rsync keytabs to mire
145 rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
146
147 #
148 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
149 #
150
151 # HOME VOLUME
152 vos examine user.$USER 2>/dev/null || \
153 vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
154 mkdir -p `dirname $HOMEPATH`
155 fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER
156 chown $USER $HOMEPATH
157 fs sa $HOMEPATH $USER all
158 fs sa $HOMEPATH system:anyuser rl
159
160 # Apache logs
161 mkdir -p $HOMEPATH/logs/apache
162 fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
163
164 # public_html
165 mkdir -p $HOMEPATH/public_html/
166 fs sa $HOMEPATH/public_html system:anyuser rl
167 mkdir -p $HOMEPATH/.procmail.d/
168 fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
169
170 # MAIL VOLUME
171 vos examine mail.$USER 2>/dev/null || \
172 vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
173 mkdir -p `dirname $MAILPATH`
174 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
175 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
176 fs sa $MAILPATH $USER all
177 fs sa $MAILPATH $USER.mailfilter all
178
179 # DATABASE VOLUME
180 if ! vos examine db.$USER >/dev/null 2>/dev/null; then
181 mkdir -p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
182 vos create -server afs -partition a -name db.$USER -maxquota 400000
183 fs mkmount -dir /afs/.hcoop.net/common/.databases/$PATHBITS -vol db.$USER -rw
184 vos release common.databases
185 fs sa -dir $DBPATH -acl system:postgres l
186 fs sa -dir $DBPATH -acl system:mysql l
187 fs sa -dir $DBPATH -acl system:backup rl
188 fi
189
190 # Create postgres user and tablespace placeholder within volume
191 if ! [ -d $PGDIR ]; then
192 mkdir -p $PGDIR
193 chown postgres:postgres $PGDIR
194 fs sa -dir $PGDIR -acl system:postgres write
195
196 sudo -u postgres psql -c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
197 fi
198
199 # Create mysql user and databases placeholder within volume
200 mkdir -p $MYSQLDIR
201 chown mysql:mysql $MYSQLDIR
202 fs sa -dir $MYSQLDIR -acl system:mysql write
203
204
205 #
206 # Mount points for backup volumes
207 #
208
209 mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
210 mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
211 fs ls /afs/hcoop.net/old/user/$PATHBITS || \
212 fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
213 fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
214 fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
215
216 # technically this might not be necessary, but for good measure...
217 vos syncserv deleuze
218 vos syncvldb deleuze
219
220 # refresh volume location cache (takes ~2hrs otherwise)
221 fs checkvolumes
222 ssh mire.hcoop.net fs checkvolumes
223
224 #
225 # Finally, set password for main user's principal
226 # Aborting this operation is harmless. Just re-invoke cpw.
227 #
228 # kadmin.local doesn't report errors properly, so we have to
229 # check manually
230 #
231 sudo rm -f /tmp/kadmin.out
232 sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \
233 2>&1 | tee /tmp/kadmin.out
234 cat /tmp/kadmin.out | grep 'Password for .* changed'
235 sudo rm -f /tmp/kadmin.out
236
Unnamed repository; edit this file to name it for gitweb.