5 # - as a user with an /etc/sudoers line
6 # - member of "wheel" unix group on deleuze
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - and is a member of "wheel" on mire
9 # - while holding tokens for a user who is:
10 # - a member of system:administrator
11 # - listed in 'bos listusers deleuze'
12 # - and who has been set up with Domtool admin privileges by:
13 # - running 'domtool-adduser $USER' while holding AFS admin tokens as
14 # someone who is already a Domtool admin
15 # - running 'domtool-admin grant $USER priv all' as someone who is already a
17 # (To bootstrap yourself into admindom:
18 # 1. Run '/etc/init.d/domtool-server stop' on deleuze.
19 # 2. Run '/etc/init.d/domtool-slave stop' on all Domtool slave machines
21 # 3. Edit ~domtool/acl, following the example of adamc_admin to grant
22 # yourself 'priv all'.
23 # 4. Run '/etc/init.d/domtool-server start' on deleuze.
24 # 5. Run '/etc/init.d/domtool-slave start' on all Domtool slave
26 # 6. Run 'domtool-adduser' as above.)
30 export PATH
=$PATH:/afs
/hcoop.net
/common
/bin
/
32 if test -z "$USER"; then
33 echo "Invoke as create-user <USERNAME>"
41 # Run a command on both mire and deleuze; assumes that no escaping is
43 function mire_and_deleuze
() {
50 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
53 # We use -randkey for user's main principal as well, to make sure that
54 # the creation process does not continue without having a main
55 # principal. (But you who want to set password for a user, don't
56 # worry - we'll invoke cpw later, so that it has the same effect
57 # as setting password right now - while it is more error tolerant).
59 sudo kadmin.
local -p root
/admin
-q "ank -policy user -randkey +requires_preauth $USER@HCOOP.NET"
60 sudo kadmin.
local -p root
/admin
-q "modprinc -maxlife 1day $USER@HCOOP.NET"
61 sudo kadmin.
local -p root
/admin
-q "ank -policy daemon -randkey +requires_preauth $USER/daemon@HCOOP.NET"
64 # Create AFS users corresponding to krb5 principals.
65 # (fred/cgi principal == fred.cgi AFS user)
69 ID
=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
70 pts cu
$USER.daemon || true
71 ID_DAEMON
=`pts examine $USER.daemon | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
75 # Construct various paths for later perusal.
78 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
79 PATHBITS
=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
80 HOMEPATH
=/afs
/hcoop.net
/user
/$PATHBITS
81 MAILPATH
=/afs
/hcoop.net
/common
/email
/$PATHBITS
82 DBPATH
=/afs
/hcoop.net
/common
/.databases
/$PATHBITS
83 PGDIR
=$DBPATH/postgres
84 MYSQLDIR
=$DBPATH/mysql
88 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
89 # lost the idea of what I want to do with LDAP, but we'll
90 # see with time how well it integrates...)
91 # The ID returned from AFS is important here, we want to make
92 # sure those IDs match.
97 dn: uid=$USER,ou=People,dc=hcoop,dc=net
100 objectClass: posixAccount
108 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
110 objectClass: posixGroup
114 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
118 dn: uid=$USER.daemon,ou=People,dc=hcoop,dc=net
121 objectClass: posixAccount
124 gidNumber: $ID_DAEMON
127 dn: cn=$USER.daemon,ou=Group,dc=hcoop,dc=net
129 objectClass: posixGroup
131 gidNumber: $ID_DAEMON
132 memberUid: $USER.daemon
133 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
137 # Export .mailfilter and .cgi keys to a keytab file
140 # create a daemon keytab (used by /etc/exim4/get-token)
141 # *only* if it does not exist!
142 test -e /etc
/keytabs
/user.daemon
/$USER || \
143 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/user.daemon/$USER $USER/daemon@HCOOP.NET"
145 # Properly chown/mod keytab files (must be $USER:www-data)
146 sudo chown
$USER:www-data
/etc
/keytabs
/user.daemon
/$USER
147 sudo
chmod 440 /etc
/keytabs
/user.daemon
/$USER
149 # rsync keytabs to mire
151 sudo
tar clpf
- user.daemon
/$USER | \
152 ssh mire.hcoop.net
cd /etc
/keytabs\
; sudo
tar xlpf
-)
155 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
159 vos examine user.
$USER 2>/dev
/null || \
160 vos create deleuze.hcoop.net
/vicepa user.
$USER -maxquota 400000
161 mkdir
-p `dirname $HOMEPATH`
162 fs
ls $HOMEPATH ||
test -L $HOMEPATH || fs mkm
$HOMEPATH user.
$USER
163 chown
$USER:nogroup
$HOMEPATH
164 fs sa
$HOMEPATH $USER all
165 fs sa
$HOMEPATH system
:anyuser l
168 mkdir
-p $HOMEPATH/.logs
169 chown
$USER:nogroup
$HOMEPATH/.logs
170 mkdir
-p $HOMEPATH/.logs
/apache
171 chown
$USER:nogroup
$HOMEPATH/.logs
/apache
172 fs sa
$HOMEPATH/.logs
/apache
$USER.daemon rlwidk
173 mkdir
-p $HOMEPATH/.logs
/mail
174 fs sa
$HOMEPATH/.logs
/mail $USER.daemon rlwidk
175 chown
$USER:nogroup
$HOMEPATH/.logs
/mail
178 mkdir
-p $HOMEPATH/public_html
179 chown
$USER:nogroup
$HOMEPATH/public_html
180 fs sa
$HOMEPATH/public_html system
:anyuser rl
183 mkdir
-p $HOMEPATH/.procmail.d
184 chown
$USER:nogroup
$HOMEPATH/.procmail.d
185 fs sa
$HOMEPATH/.procmail.d system
:anyuser rl
188 mkdir
-p $HOMEPATH/.public
/
189 chown
$USER:nogroup
$HOMEPATH/.public
190 fs sa
$HOMEPATH/.public system
:anyuser rl
193 mkdir
-p $HOMEPATH/.public
/.domtool
194 chown
$USER:nogroup
$HOMEPATH/.public
/.domtool
195 test -e $HOMEPATH/.domtool || \
196 test -L $HOMEPATH/.domtool || \
197 ln -s $HOMEPATH/.public
/.domtool
$HOMEPATH/.domtool
200 vos examine
mail.
$USER 2>/dev
/null || \
201 vos create deleuze.hcoop.net
/vicepa
mail.
$USER -maxquota 400000
202 mkdir
-p `dirname $MAILPATH`
203 fs
ls $MAILPATH || fs mkm
$MAILPATH mail.
$USER
204 fs
ls $HOMEPATH/Maildir || fs mkm
$HOMEPATH/Maildir
mail.
$USER
205 chown
$USER:nogroup
$MAILPATH
206 chown
$USER:nogroup
$HOMEPATH/Maildir
207 fs sa
$MAILPATH $USER all
208 fs sa
$MAILPATH $USER.daemon all
210 # Set up shared SpamAssassin folder
211 if test -f $HOMEPATH/Maildir
/shared-maildirs
; then
212 # Deal with case where user rsync'd their Maildir from fyodor
213 pattern
='^SpamAssassin /home/spamd'
214 file=$HOMEPATH/Maildir
/shared-maildirs
215 if grep $pattern $file; then
217 's!^(SpamAssassin )/home/spamd!\1/var/local/lib/spamd!1' \
221 # This does not yet seem to be needed, and it triggers an AFS issue,
222 # so I've commented it out --mwolson.
225 # for dir in $HOMEPATH/Maildir/shared-folders/SpamAssassin/*; do
226 # if ! test -d $dir; then
229 # dest=/var/local/lib/spamd/Maildir/.$(basename $dir)
230 # if test "$(readlink $dir/shared)" != "$dest"; then
231 # ln -sf $dest $dir/shared
235 # if test $NOTIFY = yes; then
236 # # This is probably going overboard, but oh well
237 # echo "$USER needs assistance on their shared spam dir" | \
238 # pagsh -c mail -s "[create-user] $USER needs assistance" \
239 # -e -a "From: admins@deleuze.hcoop.net" mwolson_admin
243 maildirmake
--add SpamAssassin
=/var
/local
/lib
/spamd
/Maildir \
248 if ! vos examine db.
$USER >/dev
/null
2>/dev
/null
; then
249 mkdir
-p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
250 vos create
-server afs
-partition a
-name db.
$USER -maxquota 400000
251 fs mkmount
-dir /afs
/.hcoop.net
/common
/.databases
/$PATHBITS -vol db.
$USER -rw
252 vos release common.databases
253 fs sa
-dir $DBPATH -acl system
:postgres l
254 fs sa
-dir $DBPATH -acl system
:mysql l
255 fs sa
-dir $DBPATH -acl system
:backup rl
258 # Create postgres user and tablespace placeholder within volume
259 if ! test -d $PGDIR; then
261 chown postgres
:postgres
$PGDIR
262 fs sa
-dir $PGDIR -acl system
:postgres
write
264 sudo
-u postgres psql
-c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
267 # Create mysql user and databases placeholder within volume
269 chown mysql
:mysql
$MYSQLDIR
270 fs sa
-dir $MYSQLDIR -acl system
:mysql
write
274 # Mount points for backup volumes
277 mkdir
-p `dirname /afs/hcoop.net/.old/user/$PATHBITS`
278 mkdir
-p `dirname /afs/hcoop.net/.old/mail/$PATHBITS`
279 fs
ls /afs
/hcoop.net
/.old
/user
/$PATHBITS || \
280 fs mkm
/afs
/hcoop.net
/.old
/user
/$PATHBITS user.
$USER.backup
281 fs
ls /afs
/hcoop.net
/.old
/mail
/$PATHBITS || \
282 fs mkm
/afs
/hcoop.net
/.old
/mail
/$PATHBITS mail.
$USER.backup
285 # technically this might not be necessary, but for good measure...
289 # refresh volume location cache (takes ~2hrs otherwise)
290 mire_and_deleuze fs checkvolumes
293 # Non-AFS files and directories
296 # Make per-user apache DAV lock directory -- the directory must be
297 # both user and group-writable, which is silly.
298 mire_and_deleuze sudo mkdir
-p /var
/lock
/apache
2/dav
/$USER
299 mire_and_deleuze sudo chown
$USER:www-data
/var
/lock
/apache
2/dav
/$USER
300 mire_and_deleuze sudo
chmod ug
=rwx
,o
= /var
/lock
/apache
2/dav
/$USER
303 # Domtool integration
306 domtool-adduser
$USER