# MUST be executed:
# - on deleuze
# - as a user with an /etc/sudoers line
-# - member of wheel unix group
+# - member of "wheel" unix group on deleuze
+# - while holding tickets for a user who can 'ssh -K' to mire
+# - and is a member of "wheel" on mire
# - while holding tokens for a user who is:
# - a member of system:administrator
# - listed in 'bos listusers deleuze'
USER=$1
+export PATH=$PATH:/afs/hcoop.net/common/bin/
+
if test -z "$USER"; then
echo "Invoke as create-user <USERNAME>"
exit 1
# worry - we'll invoke cpw later, so that it has the same effect
# as setting password right now - while it is more error tolerant).
-sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
-
+sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
#
# Create AFS users corresponding to krb5 principals.
pts cu $USER || true
ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.mailfilter $ID_MF || true
-ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
-pts cu $USER.cgi || true
-ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
+pts cu $USER.daemon || true
+ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
#
PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
HOMEPATH=/afs/hcoop.net/user/$PATHBITS
MAILPATH=/afs/hcoop.net/common/email/$PATHBITS
-DBPATH=/afs/hcoop.net/common/databases/$PATHBITS
+DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS
PGDIR=$DBPATH/postgres
MYSQLDIR=$DBPATH/mysql
cn: $USER
uid: $USER
gidNumber: $ID
-homeDirectory: $HOMEPATH
sn: $USER
host: abulafia
host: mire
memberUid: $USER
" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-# USER.mailfilter entry
-echo "
-dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
-objectClass: top
-objectClass: person
-objectClass: posixAccount
-cn: $USER.mailfilter
-uid: $USER.mailfilter
-gidNumber: $ID_MF
-homeDirectory: $HOMEPATH
-sn: $USER.mailfilter
-
-dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
-objectClass: top
-objectClass: posixGroup
-cn: $USER.mailfilter
-gidNumber: $ID_MF
-memberUid: $USER.mailfilter
-" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
-
-# USER.cgi entry
+# USER.daemon entry
echo "
-dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
+dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
objectClass: top
objectClass: person
objectClass: posixAccount
-cn: $USER.cgi
-uid: $USER.cgi
-gidNumber: $ID_CGI
-homeDirectory: $HOMEPATH
-sn: $USER.cgi
+cn: $USER.daemon
+uid: $USER.daemon
+gidNumber: $ID_DAEMON
+sn: $USER.daemon
-dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
+dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
objectClass: top
objectClass: posixGroup
-cn: $USER.cgi
-gidNumber: $ID_CGI
-memberUid: $USER.cgi
+cn: $USER.daemon
+gidNumber: $ID_DAEMON
+memberUid: $USER.daemon
" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true
# Export .mailfilter and .cgi keys to a keytab file
#
-# create a mailfilter keytab (used by /etc/exim4/get-token)
-sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
-# create a cgi keytab
-sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
+# create a daemon keytab (used by /etc/exim4/get-token)
+# *only* if it does not exist!
+test -e /etc/keytabs/user.daemon/$USER || \
+ sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
-# Properly chown/mod keytab files (www-data must own the cgi keytab)
-sudo chown www-data:wheel /etc/keytabs/cgi/$USER
-sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
-sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
+# Properly chown/mod keytab files (must be $USER:www-data)
+sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER
+sudo chmod 440 /etc/keytabs/user.daemon/$USER
-# FIXME: rsync keytabs to mire?
+# rsync keytabs to mire
+(cd /etc/keytabs
+ sudo tar clpf - user.daemon/$USER | \
+ ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -)
#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
vos examine user.$USER 2>/dev/null || \
vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000
mkdir -p `dirname $HOMEPATH`
-test -e $HOMEPATH || fs mkm $HOMEPATH user.$USER
-chown $USER $HOMEPATH
+fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER
+chown $USER:nogroup $HOMEPATH
fs sa $HOMEPATH $USER all
-fs sa $HOMEPATH system:anyuser rl
+fs sa $HOMEPATH system:anyuser l
# Apache logs
mkdir -p $HOMEPATH/logs/apache
-fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
+chown $USER:nogroup $HOMEPATH/logs/apache
+fs sa $HOMEPATH/logs/apache $USER.daemon rlwidk
+
+# public_html
+mkdir -p $HOMEPATH/public_html
+chown $USER:nogroup $HOMEPATH/public_html
+fs sa $HOMEPATH/public_html system:anyuser rl
+
+# .procmail.d
+mkdir -p $HOMEPATH/.procmail.d
+chown $USER:nogroup $HOMEPATH/.procmail.d
+fs sa $HOMEPATH/.procmail.d system:anyuser rl
+
+# .public
+mkdir -p $HOMEPATH/.public/
+chown $USER:nogroup $HOMEPATH/.public
+fs sa $HOMEPATH/.public system:anyuser rl
+
+# .domtool
+mkdir -p $HOMEPATH/.public/.domtool
+chown $USER:nogroup $HOMEPATH/.public/.domtool
+test -e $HOMEPATH/.domtool || \
+ test -L $HOMEPATH/.domtool || \
+ ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool
# MAIL VOLUME
vos examine mail.$USER 2>/dev/null || \
vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
mkdir -p `dirname $MAILPATH`
-test -e $MAILPATH || fs mkm $MAILPATH mail.$USER
-test -e $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
-fs sa $MAILPATH $USER all
-fs sa $MAILPATH $USER.mailfilter all
+fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER
+fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER
+chown $USER:nogroup $MAILPATH
+chown $USER:nogroup $HOMEPATH/Maildir
+fs sa $MAILPATH $USER all
+fs sa $MAILPATH $USER.daemon all
# DATABASE VOLUME
if ! vos examine db.$USER >/dev/null 2>/dev/null; then
# Mount points for backup volumes
#
-mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS`
-mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
-test -e /afs/hcoop.net/old/user/$PATHBITS || \
- fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup
-test -e /afs/hcoop.net/old/mail/$PATHBITS || \
- fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
+mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
+mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
+fs ls /afs/hcoop.net/.old/user/$PATHBITS || \
+ fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup
+fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \
+ fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup
+vos release old
+# technically this might not be necessary, but for good measure...
vos syncserv deleuze
vos syncvldb deleuze
+
+# refresh volume location cache (takes ~2hrs otherwise)
fs checkvolumes
+ssh mire.hcoop.net fs checkvolumes
#
-# Finally, set password for main user's principal
-# Aborting this operation is harmless. Just re-invoke cpw.
+# Files and directories on deleuze
#
-# kadmin.local doesn't report errors properly, so we have to
-# check manually
-#
-sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \
- 2>&1 | grep 'Password for .* changed' || \
- (echo "*** kadmin.local -q cpw failed!"; exit -1)
+# Make per-user apache DAV lock directory -- the directory must be
+# both user and group-writable, which is silly.
+sudo mkdir -p /var/lock/apache2/dav/$USER
+sudo chown $USER:www-data /var/lock/apache2/dav/$USER
+sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER