X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/9445a2d9ee035090ac62a717d02e2b0690c82b88..b73d9f02d1e80e2b8a909213a0ae609dbf69ab87:/create-user diff --git a/create-user b/create-user index 31c67e6..7608e97 100755 --- a/create-user +++ b/create-user @@ -3,8 +3,9 @@ # MUST be executed: # - on deleuze # - as a user with an /etc/sudoers line -# - member of wheel unix group +# - member of "wheel" unix group on deleuze # - while holding tickets for a user who can 'ssh -K' to mire +# - and is a member of "wheel" on mire # - while holding tokens for a user who is: # - a member of system:administrator # - listed in 'bos listusers deleuze' @@ -28,10 +29,9 @@ fi # worry - we'll invoke cpw later, so that it has the same effect # as setting password right now - while it is more error tolerant). -sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET" - +sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET" # # Create AFS users corresponding to krb5 principals. @@ -54,7 +54,7 @@ ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER HOMEPATH=/afs/hcoop.net/user/$PATHBITS MAILPATH=/afs/hcoop.net/common/email/$PATHBITS -DBPATH=/afs/hcoop.net/common/databases/$PATHBITS +DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS PGDIR=$DBPATH/postgres MYSQLDIR=$DBPATH/mysql @@ -175,6 +175,7 @@ mkdir -p `dirname $MAILPATH` fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER fs sa $MAILPATH $USER all +fs sa $MAILPATH system:anyuser l fs sa $MAILPATH $USER.mailfilter all # DATABASE VOLUME @@ -222,16 +223,10 @@ vos syncvldb deleuze fs checkvolumes ssh mire.hcoop.net fs checkvolumes -# -# Finally, set password for main user's principal -# Aborting this operation is harmless. Just re-invoke cpw. -# -# kadmin.local doesn't report errors properly, so we have to -# check manually -# -sudo rm -f /tmp/kadmin.out -sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" \ - 2>&1 | tee /tmp/kadmin.out -cat /tmp/kadmin.out | grep 'Password for .* changed' -sudo rm -f /tmp/kadmin.out - +# Technically this is not idempotent. This is not *too* bad because +# of the fact that in AFS non-system:administrators users can't change +# the group/owner of a file anyways. However, users still might want +# to know which other users created certain files (in, say, a dropbox +# or something like that). FIMXE. +chown -R $USER:nogroup $HOMEPATH +chown -R $USER:nogroup $MAILPATH