Explicitly forward kerberos tokens in create-user
[clinton/scripts.git] / create-user
1 #!/bin/bash -ex
2
3 # MUST be executed:
4 # - on deleuze
5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers deleuze'
12 # - and who has been set up with Domtool admin privileges by:
13 # - running 'domtool-adduser $USER' while holding AFS admin tokens as
14 # someone who is already a Domtool admin
15 # - running 'domtool-admin grant $USER priv all' as someone who is already a
16 # Domtool admin
17 # (To bootstrap yourself into admindom:
18 # 1. Run '/etc/init.d/domtool-server stop' on deleuze.
19 # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
20 # (e.g., mire).
21 # 3. Edit ~domtool/acl, following the example of adamc_admin to grant
22 # yourself 'priv all'.
23 # 4. Run '/etc/init.d/domtool-server start' on deleuze.
24 # 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
25 # machines.
26 # 6. Run 'domtool-adduser' as above.)
27
28 USER=$1
29
30 export PATH=$PATH:/afs/hcoop.net/common/bin/
31
32 if test -z "$USER"; then
33 echo "Invoke as create-user <USERNAME>"
34 exit 1
35 fi
36
37 #
38 # Helper functions
39 #
40
41 # Run a command on both mire and deleuze; assumes that no escaping is
42 # needed.
43 function mire_and_deleuze() {
44 $*
45 ssh -K mire.hcoop.net $*
46 }
47
48 function execute_on_fritz () {
49 ssh -K fritz.hcoop.net $*
50 }
51
52 function execute_on_all_machines () {
53 $*
54 ssh -K mire.hcoop.net $*
55 ssh -K hopper.hcoop.net $*
56 ssh -K fritz.hcoop.net $*
57 }
58
59 #
60 # Kerberos principals
61 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
62 #
63
64 # We use -randkey for user's main principal as well, to make sure that
65 # the creation process does not continue without having a main
66 # principal. (But you who want to set password for a user, don't
67 # worry - we'll invoke cpw later, so that it has the same effect
68 # as setting password right now - while it is more error tolerant).
69
70 sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
71 sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
72 sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
73
74 #
75 # Create AFS users corresponding to krb5 principals.
76 # (fred/cgi principal == fred.cgi AFS user)
77 #
78
79 pts cu $USER || true
80 ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
81 pts cu $USER.daemon || true
82 ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
83
84
85 #
86 # Construct various paths for later perusal.
87 #
88
89 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
90 PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
91 HOMEPATH=/afs/hcoop.net/user/$PATHBITS
92 MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
93
94 #
95 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
96 # lost the idea of what I want to do with LDAP, but we'll
97 # see with time how well it integrates...)
98 # The ID returned from AFS is important here, we want to make
99 # sure those IDs match.
100 #
101
102 # USER entry
103 echo "
104 dn: uid=$USER,ou=People,dc=hcoop,dc=net
105 objectClass: top
106 objectClass: person
107 objectClass: posixAccount
108 cn: $USER
109 uid: $USER
110 gidNumber: $ID
111 sn: $USER
112 host: abulafia
113 host: mire
114
115 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
116 objectClass: top
117 objectClass: posixGroup
118 cn: $USER
119 gidNumber: $ID
120 memberUid: $USER
121 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
122
123 # USER.daemon entry
124 echo "
125 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
126 objectClass: top
127 objectClass: person
128 objectClass: posixAccount
129 cn: $USER.daemon
130 uid: $USER.daemon
131 gidNumber: $ID_DAEMON
132 sn: $USER.daemon
133
134 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
135 objectClass: top
136 objectClass: posixGroup
137 cn: $USER.daemon
138 gidNumber: $ID_DAEMON
139 memberUid: $USER.daemon
140 " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
141
142
143 #
144 # Export .mailfilter and .cgi keys to a keytab file
145 #
146
147 # create a daemon keytab (used by /etc/exim4/get-token)
148 # *only* if it does not exist!
149 test -e /etc/keytabs/user.daemon/$USER || \
150 sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
151
152 # Properly chown/mod keytab files (must be $USER:www-data)
153 sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
154 sudo chmod 440 /etc/keytabs/user.daemon/$USER
155
156 # rsync keytabs
157 (cd /etc/keytabs
158 sudo tar clpf - user.daemon/$USER | \
159 ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
160 (cd /etc/keytabs
161 sudo tar clpf - user.daemon/$USER | \
162 ssh hopper.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
163
164 #
165 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
166 #
167
168 # HOME VOLUME
169 if vos examine user.$USER.d 2>/dev/null; then
170 echo "Reactivating old volume (user.$USER.d)"
171 vos rename user.$USER.d user.$USER
172 fi
173 vos examine user.$USER 2>/dev/null || \
174 vos create fritz.hcoop.net /vicepa user.$USER -maxquota 400000
175
176 mkdir -p `dirname $HOMEPATH`
177 fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
178 chown $USER:nogroup $HOMEPATH
179 fs sa $HOMEPATH $USER all
180 fs sa $HOMEPATH system:anyuser l
181
182 # Apache logs
183 mkdir -p $HOMEPATH/.logs
184 chown $USER:nogroup $HOMEPATH/.logs
185 mkdir -p $HOMEPATH/.logs/apache
186 chown $USER:nogroup $HOMEPATH/.logs/apache
187 fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk
188 mkdir -p $HOMEPATH/.logs/mail
189 fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk
190 chown $USER:nogroup $HOMEPATH/.logs/mail
191
192 # public_html
193 test -e $HOMEPATH/public_html || \
194 (mkdir -p $HOMEPATH/public_html; \
195 chown $USER:nogroup $HOMEPATH/public_html; \
196 fs sa $HOMEPATH/public_html system:anyuser none; \
197 fs sa $HOMEPATH/public_html $USER.daemon rl)
198
199 # .procmail.d
200 mkdir -p $HOMEPATH/.procmail.d
201 chown $USER:nogroup $HOMEPATH/.procmail.d
202 fs sa $HOMEPATH/.procmail.d system:anyuser rl
203
204 # .public
205 mkdir -p $HOMEPATH/.public/
206 chown $USER:nogroup $HOMEPATH/.public
207 fs sa $HOMEPATH/.public system:anyuser rl
208
209 # .domtool
210 mkdir -p $HOMEPATH/.public/.domtool
211 chown $USER:nogroup $HOMEPATH/.public/.domtool
212 test -e $HOMEPATH/.domtool || \
213 test -L $HOMEPATH/.domtool || \
214 sudo -u $USER ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
215
216 # Gitweb hosting
217 test -L /var/cache/git/$USER || \
218 sudo ln -s $HOMEPATH/.hcoop-git /var/cache/git/$USER
219
220 # MAIL VOLUME
221 if vos examine mail.$USER.d 2>/dev/null; then
222 echo "Reactivating old volume (mail.$USER.d)"
223 vos rename mail.$USER.d mail.$USER
224 fi
225 vos examine mail.$USER 2>/dev/null || \
226 vos create fritz.hcoop.net /vicepa mail.$USER -maxquota 400000
227
228 mkdir -p `dirname $MAILPATH`
229 fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
230 fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
231 chown $USER:nogroup $MAILPATH
232 chown $USER:nogroup $HOMEPATH/Maildir
233 fs sa $MAILPATH $USER all
234 fs sa $MAILPATH $USER.daemon all
235 if test ! -e $MAILPATH/new; then
236 mkdir -p $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
237 echo -e "This email account is provided as a service for HCoop members." \
238 "\n\nTo learn how to use it, please visit the page" \
239 "\n<http://wiki.hcoop.net/MemberManual/Email> on our website."| \
240 mail -s "Welcome to your HCoop email store" \
241 -e -a "From: postmaster@hcoop.net" \
242 real-$USER
243 fi
244 chown $USER:nogroup $MAILPATH/cur $MAILPATH/new $MAILPATH/tmp
245
246 # Set up shared SpamAssassin folder
247 if test -f $HOMEPATH/Maildir/shared-maildirs; then
248 # Deal with case where user rsync'd their Maildir from fyodor
249 pattern='^SpamAssassin /home/spamd'
250 file=$HOMEPATH/Maildir/shared-maildirs
251 if grep $pattern $file; then
252 sed -i -r -e \
253 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
254 $file
255 fi
256 else
257 maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \
258 $HOMEPATH/Maildir
259 fi
260
261 # Create database tablespaces
262 execute_on_fritz /afs/hcoop.net/common/etc/scripts/create-user-database $USER
263
264 #
265 # Mount points for backup volumes
266 #
267
268 mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
269 mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
270 fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
271 fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
272 fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
273 fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
274 vos release old
275
276 # technically this might not be necessary, but for good measure...
277 vos syncserv fritz
278 vos syncvldb fritz
279
280 # refresh volume location cache (takes ~2hrs otherwise)
281 execute_on_all fs checkvolumes
282
283 #
284 # Non-AFS files and directories
285 #
286
287 # Make per-user apache DAV lock directory -- the directory must be
288 # both user and group-writable, which is silly.
289 mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER
290 mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER
291 mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER
292
293 #
294 # Domtool integration
295 #
296
297 domtool-adduser $USER
298
299 #
300 # Subscribe user to our mailing lists.
301 #
302 echo $USER@hcoop.net | sudo -u list \
303 /var/lib/mailman/bin/add_members -r - hcoop-announce