[hcoop/debian/libnss-afs.git] / README


#
#  Below is the README from libnss-ptdb, from which libnss-afs
#  was derived.  For more up-to-date information, please see
#
#   http://www.hcoop.net/~megacz/software/libnss-afs.html
#


|NSS Module for AFS
+------------------

What is it?
-----------

This package will let your applications use the AFS-Protection-Database
(PTDB) as a unix user-database. It consists of 2 binary parts:

1. The ptdbnssd, a daemon that clients may connect to by
   udp://localhost:6998 to find out the UID for a usename or vice versa
2. The 'ptdb'-nss-module (libnss-ptdb) that will connect to ptdbnssd,
   whenever it needs to lookup a username or a UID.

libnss-ptdb will provide user homedirectories which are determined using
one of 2 methods (see below). Further more it provides a login shell
which is determined using one of 3 methods.

As a bonus, this package provides a group-nss-plugin, assigning descriptive
names to PAG-groups (i.e. "AfsPag-1121" ).

My main intention for writing this module was to provide a really simple
way of providing user accoung information to AFS-client machines. I wanted
to avoid using ldap withing the Instantafs-Project.
Visit http://instantafs.cbs.mpg.de for more information about InstantAFS.

What about the homedirectories and login shells?
------------------------------------------------

Homedirectories are determined by the nss-plugin but the configuration is done
by ptdbnssd. ptdbnssd accepts the parameters '-H' and '-S' to select a
method of determining homedirectories/login shells. Whenever a nss-plugin does
a lookup (either by uid or by name) ptdbnssd sends the current configuration
(basically: what you defined as -H and -S parameters) to the nss-plugin.
The Plugin then calculates the homedirectory and login shell on its own.

The advantage of that concept is that filesystem-accesses are always done by
user programs, not locking ptdbnssd for other lookups. On the other hand,
it's possible to change the homedir/loginshell-policy by restarting ptdbnssd
host wide instantaniously.

When using debian, just edit /etc/default/ptdbnssd to change the policy.

What do I have to do to get it working?
---------------------------------------

Set up the AFS-client on your local computer. You must have a file
"/etc/openafs/ThisCell" containing *only* the full name of your
local cell.

You need glibc- and openafs-headers (debian-packages glibc6-dev and
libopenafs-dev).

Type that:

# make
# make install

Run the deamon (consider running it as an unprivileged user):

$ /usr/bin/ptdbnssd

Use /usr/lib/libnss-ptdb/nsstest to check, if ptdbnssd and the nss-module
are working correctly. If not, /usr/lib/libnss-ptdb/cstest helps you
to find out, if it's the deamon's fault.

Modify /etc/nsswitch.conf , you need to rewrite the "passwd"- and the group-line:

passwd: files ptdb
group: pag files

Now use 'ls -l /afs/some/directory' to see, if it's working.

Note: 'pag' should be the first group-plugin. The group name of PAG-groups is
      calculated from their gid which is faster than i.e. a /etc/group-lookup.

Debugging
---------

After building the package there are two additional binaries:
   * cstest - Tries to resolve ID or username given at cmdline
              by calling ptdbnssd directly
   * nsstest - Tries to resolve ID or username given at cmdline
               by using nss (libc name resolution).

Last words
----------

The code was heavily "inspired" by Todd M. Lewis' (*) nss_pts_0.2 - Thank
you very much, Todd :-) .

(*) can be found @ http://www.unc.edu/~utoddl

If you have any questions, suggestions, patches, ... feel free to send me
an eMail.

Everything contained in this package is released under the terms of the
GNU Lesser General Public License (see COPYING).

Good luck,

 -- Frank Burkhardt <burk@cbs.mpg.de>  Fri, 06 Apr 2007 11:45:23 +0200
Commit	Line	Data
03b6b479	1
	2	#
	3	# Below is the README from libnss-ptdb, from which libnss-afs
4d28e947	4	# was derived. For more up-to-date information, please see
	5	#
	6	# http://www.hcoop.net/~megacz/software/libnss-afs.html
03b6b479	7	#
	8
	9
	10	\|NSS Module for AFS
	11	+------------------
	12
	13	What is it?
	14	-----------
	15
	16	This package will let your applications use the AFS-Protection-Database
	17	(PTDB) as a unix user-database. It consists of 2 binary parts:
	18
	19	1. The ptdbnssd, a daemon that clients may connect to by
	20	udp://localhost:6998 to find out the UID for a usename or vice versa
	21	2. The 'ptdb'-nss-module (libnss-ptdb) that will connect to ptdbnssd,
	22	whenever it needs to lookup a username or a UID.
	23
	24	libnss-ptdb will provide user homedirectories which are determined using
	25	one of 2 methods (see below). Further more it provides a login shell
	26	which is determined using one of 3 methods.
	27
	28	As a bonus, this package provides a group-nss-plugin, assigning descriptive
	29	names to PAG-groups (i.e. "AfsPag-1121" ).
	30
	31	My main intention for writing this module was to provide a really simple
	32	way of providing user accoung information to AFS-client machines. I wanted
	33	to avoid using ldap withing the Instantafs-Project.
	34	Visit http://instantafs.cbs.mpg.de for more information about InstantAFS.
	35
	36	What about the homedirectories and login shells?
	37	------------------------------------------------
	38
	39	Homedirectories are determined by the nss-plugin but the configuration is done
	40	by ptdbnssd. ptdbnssd accepts the parameters '-H' and '-S' to select a
	41	method of determining homedirectories/login shells. Whenever a nss-plugin does
	42	a lookup (either by uid or by name) ptdbnssd sends the current configuration
	43	(basically: what you defined as -H and -S parameters) to the nss-plugin.
	44	The Plugin then calculates the homedirectory and login shell on its own.
	45
	46	The advantage of that concept is that filesystem-accesses are always done by
	47	user programs, not locking ptdbnssd for other lookups. On the other hand,
	48	it's possible to change the homedir/loginshell-policy by restarting ptdbnssd
	49	host wide instantaniously.
	50
	51	When using debian, just edit /etc/default/ptdbnssd to change the policy.
	52
	53	What do I have to do to get it working?
	54	---------------------------------------
	55
	56	Set up the AFS-client on your local computer. You must have a file
	57	"/etc/openafs/ThisCell" containing only the full name of your
	58	local cell.
	59
	60	You need glibc- and openafs-headers (debian-packages glibc6-dev and
	61	libopenafs-dev).
	62
	63	Type that:
	64
	65	# make
	66	# make install
	67
	68	Run the deamon (consider running it as an unprivileged user):
	69
	70	$ /usr/bin/ptdbnssd
71
72	Use /usr/lib/libnss-ptdb/nsstest to check, if ptdbnssd and the nss-module
73	are working correctly. If not, /usr/lib/libnss-ptdb/cstest helps you
74	to find out, if it's the deamon's fault.
75
76	Modify /etc/nsswitch.conf , you need to rewrite the "passwd"- and the group-line:
77
78	passwd: files ptdb
79	group: pag files
80
81	Now use 'ls -l /afs/some/directory' to see, if it's working.
82
83	Note: 'pag' should be the first group-plugin. The group name of PAG-groups is
84	calculated from their gid which is faster than i.e. a /etc/group-lookup.
85
86	Debugging
87	---------
88
89	After building the package there are two additional binaries:
90	* cstest - Tries to resolve ID or username given at cmdline
91	by calling ptdbnssd directly
92	* nsstest - Tries to resolve ID or username given at cmdline
93	by using nss (libc name resolution).
94
95	Last words
96	----------
97
98	The code was heavily "inspired" by Todd M. Lewis' (*) nss_pts_0.2 - Thank
99	you very much, Todd :-) .
100
101	(*) can be found @ http://www.unc.edu/~utoddl
102
103	If you have any questions, suggestions, patches, ... feel free to send me
104	an eMail.
105
106	Everything contained in this package is released under the terms of the
107	GNU Lesser General Public License (see COPYING).
108
109	Good luck,
110
111	-- Frank Burkhardt <burk@cbs.mpg.de> Fri, 06 Apr 2007 11:45:23 +0200