# MUST be executed:
# - on deleuze
# - as a user with an /etc/sudoers line
-# - member of wheel unix group
+# - member of "wheel" unix group on deleuze
+# - while holding tickets for a user who can 'ssh -K' to mire
+# - and is a member of "wheel" on mire
# - while holding tokens for a user who is:
# - a member of system:administrator
# - listed in 'bos listusers deleuze'
# worry - we'll invoke cpw later, so that it has the same effect
# as setting password right now - while it is more error tolerant).
-sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
-
+sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET"
#
# Create AFS users corresponding to krb5 principals.
PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
HOMEPATH=/afs/hcoop.net/user/$PATHBITS
MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
-DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
+DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
PGDIR=$DBPATH/postgres
MYSQLDIR=$DBPATH/mysql
cn: $USER
uid: $USER
gidNumber: $ID
-homeDirectory: $HOMEPATH
sn: $USER
host: abulafia
host: mire
cn: $USER.mailfilter
uid: $USER.mailfilter
gidNumber: $ID_MF
-homeDirectory: $HOMEPATH
sn: $USER.mailfilter
dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
cn: $USER.cgi
uid: $USER.cgi
gidNumber: $ID_CGI
-homeDirectory: $HOMEPATH
sn: $USER.cgi
dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
+# technically this might not be necessary, but for good measure...
vos syncserv deleuze
vos syncvldb deleuze
-fs checkvolumes
-
-#
-# Finally, set password for main user's principal
-# Aborting this operation is harmless. Just re-invoke cpw.
-#
-# kadmin.local doesn't report errors properly, so we have to
-# check manually
-#
-sudo rm -f /tmp/kadmin.out
-sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \
- 2>&1 | tee /tmp/kadmin.out
-cat /tmp/kadmin.out | grep 'Password for .* changed'
-sudo rm -f /tmp/kadmin.out
+# refresh volume location cache (takes ~2hrs otherwise)
+fs checkvolumes
+ssh mire.hcoop.net fs checkvolumes
+
+# Technically this is not idempotent. This is not *too* bad because
+# of the fact that in AFS non-system:administrators users can't change
+# the group/owner of a file anyways. However, users still might want
+# to know which other users created certain files (in, say, a dropbox
+# or something like that). FIMXE.
+chown -R $USER:nogroup $HOMEPATH
+chown -R $USER:nogroup $MAILPATH
HCoop / clinton / scripts.git / blobdiff