HCoop
/
clinton
/
scripts.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
add +requires_preauth to "kadmin -q ank"
[clinton/scripts.git]
/
create-user
diff --git
a/create-user
b/create-user
index
97acdde
..
377448c
100755
(executable)
--- a/
create-user
+++ b/
create-user
@@
-4,6
+4,7
@@
# - on deleuze
# - as a user with an /etc/sudoers line
# - member of wheel unix group
# - on deleuze
# - as a user with an /etc/sudoers line
# - member of wheel unix group
+# - while holding tickets for a user who can 'ssh -K' to mire
# - while holding tokens for a user who is:
# - a member of system:administrator
# - listed in 'bos listusers deleuze'
# - while holding tokens for a user who is:
# - a member of system:administrator
# - listed in 'bos listusers deleuze'
@@
-27,10
+28,9
@@
fi
# worry - we'll invoke cpw later, so that it has the same effect
# as setting password right now - while it is more error tolerant).
# worry - we'll invoke cpw later, so that it has the same effect
# as setting password right now - while it is more error tolerant).
-sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
-sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
-
+sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET"
+sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET"
#
# Create AFS users corresponding to krb5 principals.
#
# Create AFS users corresponding to krb5 principals.
@@
-75,7
+75,6
@@
objectClass: posixAccount
cn: $USER
uid: $USER
gidNumber: $ID
cn: $USER
uid: $USER
gidNumber: $ID
-homeDirectory: $HOMEPATH
sn: $USER
host: abulafia
host: mire
sn: $USER
host: abulafia
host: mire
@@
-97,7
+96,6
@@
objectClass: posixAccount
cn: $USER.mailfilter
uid: $USER.mailfilter
gidNumber: $ID_MF
cn: $USER.mailfilter
uid: $USER.mailfilter
gidNumber: $ID_MF
-homeDirectory: $HOMEPATH
sn: $USER.mailfilter
dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
sn: $USER.mailfilter
dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
@@
-117,7
+115,6
@@
objectClass: posixAccount
cn: $USER.cgi
uid: $USER.cgi
gidNumber: $ID_CGI
cn: $USER.cgi
uid: $USER.cgi
gidNumber: $ID_CGI
-homeDirectory: $HOMEPATH
sn: $USER.cgi
dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
sn: $USER.cgi
dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
@@
-135,6
+132,7
@@
memberUid: $USER.cgi
# create a mailfilter keytab (used by /etc/exim4/get-token)
sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
# create a mailfilter keytab (used by /etc/exim4/get-token)
sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
+
# create a cgi keytab
sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
# create a cgi keytab
sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
@@
-143,7
+141,8
@@
sudo chown www-data:wheel /etc/keytabs/cgi/$USER
sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER
sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER
-# FIXME: rsync keytabs to mire?
+# rsync keytabs to mire
+rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER
#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
#
# Create/mount/set-perms on user's volumes (home, mail, databases, logs)
@@
-162,6
+161,12
@@
fs sa $HOMEPATH system:anyuser rl
mkdir -p $HOMEPATH/logs/apache
fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
mkdir -p $HOMEPATH/logs/apache
fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk
+# public_html
+mkdir -p $HOMEPATH/public_html/
+fs sa $HOMEPATH/public_html system:anyuser rl
+mkdir -p $HOMEPATH/.procmail.d/
+fs sa $HOMEPATH/.procmail.d/ system:anyuser rl
+
# MAIL VOLUME
vos examine mail.$USER 2>/dev/null || \
vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
# MAIL VOLUME
vos examine mail.$USER 2>/dev/null || \
vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000
@@
-208,9
+213,13
@@
fs ls /afs/hcoop.net/old/user/$PATHBITS || \
fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
fs ls /afs/hcoop.net/old/mail/$PATHBITS || \
fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup
+# technically this might not be necessary, but for good measure...
vos syncserv deleuze
vos syncvldb deleuze
vos syncserv deleuze
vos syncvldb deleuze
+
+# refresh volume location cache (takes ~2hrs otherwise)
fs checkvolumes
fs checkvolumes
+ssh mire.hcoop.net fs checkvolumes
#
# Finally, set password for main user's principal
#
# Finally, set password for main user's principal