X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/64f69c080c7221b8ab7016a5403c0272510ec6b5..241a0263b49eb5a72ff9d4ef14d50f351c93e1f9:/create-user diff --git a/create-user b/create-user index 6ffab03..d374f35 100755 --- a/create-user +++ b/create-user @@ -9,14 +9,41 @@ # - while holding tokens for a user who is: # - a member of system:administrator # - listed in 'bos listusers deleuze' +# - and who has been set up with Domtool admin privileges by: +# - running 'domtool-adduser $USER' while holding AFS admin tokens as +# someone who is already a Domtool admin +# - running 'domtool-admin grant $USER priv all' as someone who is already a +# Domtool admin +# (To bootstrap yourself into admindom: +# 1. Run '/etc/init.d/domtool-server stop' on deleuze. +# 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines +# (e.g., mire). +# 3. Edit ~domtool/acl, following the example of adamc_admin to grant +# yourself 'priv all'. +# 4. Run '/etc/init.d/domtool-server start' on deleuze. +# 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave +# machines. +# 6. Run 'domtool-adduser' as above.) USER=$1 +export PATH=$PATH:/afs/hcoop.net/common/bin/ + if test -z "$USER"; then echo "Invoke as create-user " exit 1 fi +# +# Helper functions +# + +# Run a command on both mire and deleuze; assumes that no escaping is +# needed. +function mire_and_deleuze() { + $* + ssh mire.hcoop.net $* +} # # Kerberos principals @@ -30,8 +57,8 @@ fi # as setting password right now - while it is more error tolerant). sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET" +sudo kadmin.local -p root/admin -q "modprinc -maxlife 1day $USER@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET" # # Create AFS users corresponding to krb5 principals. @@ -40,10 +67,8 @@ sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $ pts cu $USER || true ID=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` -pts cu $USER.mailfilter $ID_MF || true -ID_MF=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` -pts cu $USER.cgi || true -ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` +pts cu $USER.daemon || true +ID_DAEMON=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` # @@ -88,42 +113,23 @@ gidNumber: $ID memberUid: $USER " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true -# USER.mailfilter entry -echo " -dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net -objectClass: top -objectClass: person -objectClass: posixAccount -cn: $USER.mailfilter -uid: $USER.mailfilter -gidNumber: $ID_MF -sn: $USER.mailfilter - -dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net -objectClass: top -objectClass: posixGroup -cn: $USER.mailfilter -gidNumber: $ID_MF -memberUid: $USER.mailfilter -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true - -# USER.cgi entry +# USER.daemon entry echo " -dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net +dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net objectClass: top objectClass: person objectClass: posixAccount -cn: $USER.cgi -uid: $USER.cgi -gidNumber: $ID_CGI -sn: $USER.cgi +cn: $USER.daemon +uid: $USER.daemon +gidNumber: $ID_DAEMON +sn: $USER.daemon -dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net +dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net objectClass: top objectClass: posixGroup -cn: $USER.cgi -gidNumber: $ID_CGI -memberUid: $USER.cgi +cn: $USER.daemon +gidNumber: $ID_DAEMON +memberUid: $USER.daemon " | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true @@ -131,19 +137,19 @@ memberUid: $USER.cgi # Export .mailfilter and .cgi keys to a keytab file # -# create a mailfilter keytab (used by /etc/exim4/get-token) -sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET" +# create a daemon keytab (used by /etc/exim4/get-token) +# *only* if it does not exist! +test -e /etc/keytabs/user.daemon/$USER || \ + sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET" -# create a cgi keytab -sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET" - -# Properly chown/mod keytab files (www-data must own the cgi keytab) -sudo chown www-data:wheel /etc/keytabs/cgi/$USER -sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER -sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER +# Properly chown/mod keytab files (must be $USER:www-data) +sudo chown $USER:www-data /etc/keytabs/user.daemon/$USER +sudo chmod 440 /etc/keytabs/user.daemon/$USER # rsync keytabs to mire -rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER +(cd /etc/keytabs + sudo tar clpf - user.daemon/$USER | \ + ssh mire.hcoop.net cd /etc/keytabs\; sudo tar xlpf -) # # Create/mount/set-perms on user's volumes (home, mail, databases, logs) @@ -153,20 +159,42 @@ rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER vos examine user.$USER 2>/dev/null || \ vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 mkdir -p `dirname $HOMEPATH` -fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER -chown $USER $HOMEPATH +fs ls $HOMEPATH || test -L $HOMEPATH || fs mkm $HOMEPATH user.$USER +chown $USER:nogroup $HOMEPATH fs sa $HOMEPATH $USER all -fs sa $HOMEPATH system:anyuser rl +fs sa $HOMEPATH system:anyuser l # Apache logs -mkdir -p $HOMEPATH/logs/apache -fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk +mkdir -p $HOMEPATH/.logs +chown $USER:nogroup $HOMEPATH/.logs +mkdir -p $HOMEPATH/.logs/apache +chown $USER:nogroup $HOMEPATH/.logs/apache +fs sa $HOMEPATH/.logs/apache $USER.daemon rlwidk +mkdir -p $HOMEPATH/.logs/mail +fs sa $HOMEPATH/.logs/mail $USER.daemon rlwidk +chown $USER:nogroup $HOMEPATH/.logs/mail # public_html -mkdir -p $HOMEPATH/public_html/ +mkdir -p $HOMEPATH/public_html +chown $USER:nogroup $HOMEPATH/public_html fs sa $HOMEPATH/public_html system:anyuser rl -mkdir -p $HOMEPATH/.procmail.d/ -fs sa $HOMEPATH/.procmail.d/ system:anyuser rl + +# .procmail.d +mkdir -p $HOMEPATH/.procmail.d +chown $USER:nogroup $HOMEPATH/.procmail.d +fs sa $HOMEPATH/.procmail.d system:anyuser rl + +# .public +mkdir -p $HOMEPATH/.public/ +chown $USER:nogroup $HOMEPATH/.public +fs sa $HOMEPATH/.public system:anyuser rl + +# .domtool +mkdir -p $HOMEPATH/.public/.domtool +chown $USER:nogroup $HOMEPATH/.public/.domtool +test -e $HOMEPATH/.domtool || \ + test -L $HOMEPATH/.domtool || \ + ln -s $HOMEPATH/.public/.domtool $HOMEPATH/.domtool # MAIL VOLUME vos examine mail.$USER 2>/dev/null || \ @@ -174,9 +202,47 @@ vos examine mail.$USER 2>/dev/null || \ mkdir -p `dirname $MAILPATH` fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER -fs sa $MAILPATH $USER all -fs sa $MAILPATH system:anyuser l -fs sa $MAILPATH $USER.mailfilter all +chown $USER:nogroup $MAILPATH +chown $USER:nogroup $HOMEPATH/Maildir +fs sa $MAILPATH $USER all +fs sa $MAILPATH $USER.daemon all + +# Set up shared SpamAssassin folder +if test -f $HOMEPATH/Maildir/shared-maildirs; then + # Deal with case where user rsync'd their Maildir from fyodor + pattern='^SpamAssassin /home/spamd' + file=$HOMEPATH/Maildir/shared-maildirs + if grep $pattern $file; then + sed -i -r -e \ + 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \ + $file + fi + +# This does not yet seem to be needed, and it triggers an AFS issue, +# so I've commented it out --mwolson. +# +NOTIFY=no +for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do + if ! test -d $dir; then + NOTIFY=yes + else + dest=/var/local/lib/spamd/Maildir/.$(basename $dir) + if test "$(readlink $dir/shared)" != "$dest"; then + ln -sf $dest $dir/shared + fi + fi +done +if test $NOTIFY = yes; then + # This is probably going overboard, but oh well + echo "$USER needs assistance on their shared spam dir" | \ + pagsh -c mail -s "[create-user] $USER needs assistance" \ + -e -a "From: admins@deleuze.hcoop.net" mwolson_admin +fi + +else + maildirmake --add SpamAssassin=/var/local/lib/spamd/Maildir \ + $HOMEPATH/Maildir +fi # DATABASE VOLUME if ! vos examine db.$USER >/dev/null 2>/dev/null; then @@ -190,7 +256,7 @@ if ! vos examine db.$USER >/dev/null 2>/dev/null; then fi # Create postgres user and tablespace placeholder within volume -if ! [ -d $PGDIR ]; then +if ! test -d $PGDIR; then mkdir -p $PGDIR chown postgres:postgres $PGDIR fs sa -dir $PGDIR -acl system:postgres write @@ -208,31 +274,33 @@ fs sa -dir $MYSQLDIR -acl system:mysql write # Mount points for backup volumes # -mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS` -mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS` -fs ls /afs/hcoop.net/old/user/$PATHBITS || \ - fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup -fs ls /afs/hcoop.net/old/mail/$PATHBITS || \ - fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup +mkdir -p `dirname /afs/hcoop.net/.old/user/$PATHBITS` +mkdir -p `dirname /afs/hcoop.net/.old/mail/$PATHBITS` +fs ls /afs/hcoop.net/.old/user/$PATHBITS || \ + fs mkm /afs/hcoop.net/.old/user/$PATHBITS user.$USER.backup +fs ls /afs/hcoop.net/.old/mail/$PATHBITS || \ + fs mkm /afs/hcoop.net/.old/mail/$PATHBITS mail.$USER.backup +vos release old # technically this might not be necessary, but for good measure... vos syncserv deleuze vos syncvldb deleuze # refresh volume location cache (takes ~2hrs otherwise) -fs checkvolumes -ssh mire.hcoop.net fs checkvolumes +mire_and_deleuze fs checkvolumes + +# +# Non-AFS files and directories +# + +# Make per-user apache DAV lock directory -- the directory must be +# both user and group-writable, which is silly. +mire_and_deleuze sudo mkdir -p /var/lock/apache2/dav/$USER +mire_and_deleuze sudo chown $USER:www-data /var/lock/apache2/dav/$USER +mire_and_deleuze sudo chmod ug=rwx,o= /var/lock/apache2/dav/$USER # -# Finally, set password for main user's principal -# Aborting this operation is harmless. Just re-invoke cpw. +# Domtool integration # -# kadmin.local doesn't report errors properly, so we have to -# check manually -# -sudo rm -f /tmp/kadmin.out -sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \ - 2>&1 | tee /tmp/kadmin.out -cat /tmp/kadmin.out | grep 'Password for .* changed' -sudo rm -f /tmp/kadmin.out +domtool-adduser $USER