X-Git-Url: http://git.hcoop.net/clinton/scripts.git/blobdiff_plain/d2462e94b7505964ab7d08c84fd1745341fc64a3..bf301371e226b795b2533bffa3d5a38a006c035b:/create-user diff --git a/create-user b/create-user index e4fafb7..7cc369b 100755 --- a/create-user +++ b/create-user @@ -3,7 +3,9 @@ # MUST be executed: # - on deleuze # - as a user with an /etc/sudoers line -# - member of wheel unix group +# - member of "wheel" unix group on deleuze +# - while holding tickets for a user who can 'ssh -K' to mire +# - and is a member of "wheel" on mire # - while holding tokens for a user who is: # - a member of system:administrator # - listed in 'bos listusers deleuze' @@ -27,10 +29,9 @@ fi # worry - we'll invoke cpw later, so that it has the same effect # as setting password right now - while it is more error tolerant). -sudo kadmin.local -p root/admin -q "ank -policy user -randkey $USER@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET" -sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET" - +sudo kadmin.local -p root/admin -q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy mailfilter -randkey +requires_preauth $USER/mailfilter@HCOOP.NET" +sudo kadmin.local -p root/admin -q "ank -policy cgi -randkey +requires_preauth $USER/cgi@HCOOP.NET" # # Create AFS users corresponding to krb5 principals. @@ -53,7 +54,7 @@ ID_CGI=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'` PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER HOMEPATH=/afs/hcoop.net/user/$PATHBITS MAILPATH=/afs/hcoop.net/common/email/$PATHBITS -DBPATH=/afs/hcoop.net/common/databases/$PATHBITS +DBPATH=/afs/hcoop.net/common/.databases/$PATHBITS PGDIR=$DBPATH/postgres MYSQLDIR=$DBPATH/mysql @@ -75,7 +76,6 @@ objectClass: posixAccount cn: $USER uid: $USER gidNumber: $ID -homeDirectory: $HOMEPATH sn: $USER host: abulafia host: mire @@ -86,7 +86,7 @@ objectClass: posixGroup cn: $USER gidNumber: $ID memberUid: $USER -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true # USER.mailfilter entry echo " @@ -97,7 +97,6 @@ objectClass: posixAccount cn: $USER.mailfilter uid: $USER.mailfilter gidNumber: $ID_MF -homeDirectory: $HOMEPATH sn: $USER.mailfilter dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net @@ -106,7 +105,7 @@ objectClass: posixGroup cn: $USER.mailfilter gidNumber: $ID_MF memberUid: $USER.mailfilter -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true # USER.cgi entry echo " @@ -117,7 +116,6 @@ objectClass: posixAccount cn: $USER.cgi uid: $USER.cgi gidNumber: $ID_CGI -homeDirectory: $HOMEPATH sn: $USER.cgi dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net @@ -126,7 +124,7 @@ objectClass: posixGroup cn: $USER.cgi gidNumber: $ID_CGI memberUid: $USER.cgi -" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret +" | sudo ldapadd -x -D cn=admin,dc=hcoop,dc=net -y /etc/ldap.secret || true # @@ -135,6 +133,7 @@ memberUid: $USER.cgi # create a mailfilter keytab (used by /etc/exim4/get-token) sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET" + # create a cgi keytab sudo kadmin.local -p root/admin -q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET" @@ -143,16 +142,18 @@ sudo chown www-data:wheel /etc/keytabs/cgi/$USER sudo chown $USER:wheel /etc/keytabs/mailfilter/$USER sudo chmod 440 /etc/keytabs/cgi/$USER /etc/keytabs/mailfilter/$USER -# FIXME: rsync keytabs to mire? +# rsync keytabs to mire +rsync -e ssh -a /etc/keytabs/cgi/$USER mire.hcoop.net:/etc/keytabs/cgi/$USER # # Create/mount/set-perms on user's volumes (home, mail, databases, logs) # # HOME VOLUME -vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 +vos examine user.$USER 2>/dev/null || \ + vos create deleuze.hcoop.net /vicepa user.$USER -maxquota 400000 mkdir -p `dirname $HOMEPATH` -fs mkm $HOMEPATH user.$USER +fs ls $HOMEPATH || fs mkm $HOMEPATH user.$USER chown $USER $HOMEPATH fs sa $HOMEPATH $USER all fs sa $HOMEPATH system:anyuser rl @@ -161,11 +162,18 @@ fs sa $HOMEPATH system:anyuser rl mkdir -p $HOMEPATH/logs/apache fs sa $HOMEPATH/logs/apache $USER.cgi rlwidk +# public_html +mkdir -p $HOMEPATH/public_html/ +fs sa $HOMEPATH/public_html system:anyuser rl +mkdir -p $HOMEPATH/.procmail.d/ +fs sa $HOMEPATH/.procmail.d/ system:anyuser rl + # MAIL VOLUME -vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000 +vos examine mail.$USER 2>/dev/null || \ + vos create deleuze.hcoop.net /vicepa mail.$USER -maxquota 400000 mkdir -p `dirname $MAILPATH` -fs mkm $MAILPATH mail.$USER -fs mkm $HOMEPATH/Maildir mail.$USER +fs ls $MAILPATH || fs mkm $MAILPATH mail.$USER +fs ls $HOMEPATH/Maildir || fs mkm $HOMEPATH/Maildir mail.$USER fs sa $MAILPATH $USER all fs sa $MAILPATH $USER.mailfilter all @@ -201,16 +209,23 @@ fs sa -dir $MYSQLDIR -acl system:mysql write mkdir -p `dirname /afs/hcoop.net/old/user/$PATHBITS` mkdir -p `dirname /afs/hcoop.net/old/mail/$PATHBITS` -fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup -fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup +fs ls /afs/hcoop.net/old/user/$PATHBITS || \ + fs mkm /afs/hcoop.net/old/user/$PATHBITS user.$USER.backup +fs ls /afs/hcoop.net/old/mail/$PATHBITS || \ + fs mkm /afs/hcoop.net/old/mail/$PATHBITS mail.$USER.backup +# technically this might not be necessary, but for good measure... vos syncserv deleuze vos syncvldb deleuze -fs checkvolumes - -# -# Finally, set password for main user's principal -# Aborting this operation is harmless. Just re-invoke cpw. -# -sudo kadmin.local -p root/admin -q "cpw $USER@HCOOP.NET" +# refresh volume location cache (takes ~2hrs otherwise) +fs checkvolumes +ssh mire.hcoop.net fs checkvolumes + +# Technically this is not idempotent. This is not *too* bad because +# of the fact that in AFS non-system:administrators users can't change +# the group/owner of a file anyways. However, users still might want +# to know which other users created certain files (in, say, a dropbox +# or something like that). FIMXE. +chown -R $USER:nogroup $HOMEPATH +chown -R $USER:nogroup $MAILPATH