5 # - as a user with an /etc/sudoers line
6 # - member of wheel unix group
7 # - while holding tickets for a user who can 'ssh -K' to mire
8 # - while holding tokens for a user who is:
9 # - a member of system:administrator
10 # - listed in 'bos listusers deleuze'
14 if test -z "$USER"; then
15 echo "Invoke as create-user <USERNAME>"
22 # (creat kerberos principals: fred, fred/cgi, fred/mailfilter)
25 # We use -randkey for user's main principal as well, to make sure that
26 # the creation process does not continue without having a main
27 # principal. (But you who want to set password for a user, don't
28 # worry - we'll invoke cpw later, so that it has the same effect
29 # as setting password right now - while it is more error tolerant).
31 sudo kadmin.
local -p root
/admin
-q "ank -policy user -randkey $USER@HCOOP.NET"
32 sudo kadmin.
local -p root
/admin
-q "ank -policy mailfilter -randkey $USER/mailfilter@HCOOP.NET"
33 sudo kadmin.
local -p root
/admin
-q "ank -policy cgi -randkey $USER/cgi@HCOOP.NET"
37 # Create AFS users corresponding to krb5 principals.
38 # (fred/cgi principal == fred.cgi AFS user)
42 ID
=`pts examine $USER | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
43 pts cu
$USER.mailfilter
$ID_MF || true
44 ID_MF
=`pts examine $USER.mailfilter | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
45 pts cu
$USER.cgi || true
46 ID_CGI
=`pts examine $USER.cgi | head -n1 | sed 's_.*, id: *__' | sed 's_,.*__'`
50 # Construct various paths for later perusal.
53 # (If it's not clear, for user fred, PATHBITS = f/fr/fred)
54 PATHBITS
=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
55 HOMEPATH
=/afs
/hcoop.net
/user
/$PATHBITS
56 MAILPATH
=/afs
/hcoop.net
/common
/email
/$PATHBITS
57 DBPATH
=/afs
/hcoop.net
/common
/databases
/$PATHBITS
58 PGDIR
=$DBPATH/postgres
59 MYSQLDIR
=$DBPATH/mysql
63 # Create LDAP entries. (With the whole libnss-ptdb, I kind of
64 # lost the idea of what I want to do with LDAP, but we'll
65 # see with time how well it integrates...)
66 # The ID returned from AFS is important here, we want to make
67 # sure those IDs match.
72 dn: uid=$USER,ou=People,dc=hcoop,dc=net
75 objectClass: posixAccount
79 homeDirectory: $HOMEPATH
84 dn: cn=$USER,ou=Group,dc=hcoop,dc=net
86 objectClass: posixGroup
90 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
92 # USER.mailfilter entry
94 dn: uid=$USER.mailfilter,ou=People,dc=hcoop,dc=net
97 objectClass: posixAccount
101 homeDirectory: $HOMEPATH
104 dn: cn=$USER.mailfilter,ou=Group,dc=hcoop,dc=net
106 objectClass: posixGroup
109 memberUid: $USER.mailfilter
110 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
114 dn: uid=$USER.cgi,ou=People,dc=hcoop,dc=net
117 objectClass: posixAccount
121 homeDirectory: $HOMEPATH
124 dn: cn=$USER.cgi,ou=Group,dc=hcoop,dc=net
126 objectClass: posixGroup
130 " | sudo ldapadd
-x -D cn
=admin
,dc=hcoop
,dc=net
-y /etc
/ldap.secret || true
134 # Export .mailfilter and .cgi keys to a keytab file
137 # create a mailfilter keytab (used by /etc/exim4/get-token)
138 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/mailfilter/$USER $USER/mailfilter@HCOOP.NET"
140 # create a cgi keytab
141 sudo kadmin.
local -p root
/admin
-q "ktadd -k /etc/keytabs/cgi/$USER $USER/cgi@HCOOP.NET"
143 # Properly chown/mod keytab files (www-data must own the cgi keytab)
144 sudo chown www-data
:wheel
/etc
/keytabs
/cgi
/$USER
145 sudo chown
$USER:wheel
/etc
/keytabs
/mailfilter
/$USER
146 sudo
chmod 440 /etc
/keytabs
/cgi
/$USER /etc
/keytabs
/mailfilter
/$USER
148 # rsync keytabs to mire
149 rsync
-e ssh -a /etc
/keytabs
/cgi
/$USER mire.hcoop.net
:/etc
/keytabs
/cgi
/$USER
152 # Create/mount/set-perms on user's volumes (home, mail, databases, logs)
156 vos examine user.
$USER 2>/dev
/null || \
157 vos create deleuze.hcoop.net
/vicepa user.
$USER -maxquota 400000
158 mkdir
-p `dirname $HOMEPATH`
159 fs
ls $HOMEPATH || fs mkm
$HOMEPATH user.
$USER
160 chown
$USER $HOMEPATH
161 fs sa
$HOMEPATH $USER all
162 fs sa
$HOMEPATH system
:anyuser rl
165 mkdir
-p $HOMEPATH/logs
/apache
166 fs sa
$HOMEPATH/logs
/apache
$USER.cgi rlwidk
169 mkdir
-p $HOMEPATH/public_html
/
170 fs sa
$HOMEPATH/public_html system
:anyuser rl
171 mkdir
-p $HOMEPATH/.procmail.d
/
172 fs sa
$HOMEPATH/.procmail.d
/ system
:anyuser rl
175 vos examine
mail.
$USER 2>/dev
/null || \
176 vos create deleuze.hcoop.net
/vicepa
mail.
$USER -maxquota 400000
177 mkdir
-p `dirname $MAILPATH`
178 fs
ls $MAILPATH || fs mkm
$MAILPATH mail.
$USER
179 fs
ls $HOMEPATH/Maildir || fs mkm
$HOMEPATH/Maildir
mail.
$USER
180 fs sa
$MAILPATH $USER all
181 fs sa
$MAILPATH $USER.mailfilter all
184 if ! vos examine db.
$USER >/dev
/null
2>/dev
/null
; then
185 mkdir
-p `dirname /afs/.hcoop.net/common/.databases/$PATHBITS`
186 vos create
-server afs
-partition a
-name db.
$USER -maxquota 400000
187 fs mkmount
-dir /afs
/.hcoop.net
/common
/.databases
/$PATHBITS -vol db.
$USER -rw
188 vos release common.databases
189 fs sa
-dir $DBPATH -acl system
:postgres l
190 fs sa
-dir $DBPATH -acl system
:mysql l
191 fs sa
-dir $DBPATH -acl system
:backup rl
194 # Create postgres user and tablespace placeholder within volume
195 if ! [ -d $PGDIR ]; then
197 chown postgres
:postgres
$PGDIR
198 fs sa
-dir $PGDIR -acl system
:postgres
write
200 sudo
-u postgres psql
-c "CREATE TABLESPACE user_$USER OWNER postgres LOCATION '$PGDIR'" template1
203 # Create mysql user and databases placeholder within volume
205 chown mysql
:mysql
$MYSQLDIR
206 fs sa
-dir $MYSQLDIR -acl system
:mysql
write
210 # Mount points for backup volumes
213 mkdir
-p `dirname /afs/hcoop.net/old/user/$PATHBITS`
214 mkdir
-p `dirname /afs/hcoop.net/old/mail/$PATHBITS`
215 fs
ls /afs
/hcoop.net
/old
/user
/$PATHBITS || \
216 fs mkm
/afs
/hcoop.net
/old
/user
/$PATHBITS user.
$USER.backup
217 fs
ls /afs
/hcoop.net
/old
/mail
/$PATHBITS || \
218 fs mkm
/afs
/hcoop.net
/old
/mail
/$PATHBITS mail.
$USER.backup
220 # technically this might not be necessary, but for good measure...
224 # refresh volume location cache (takes ~2hrs otherwise)
226 ssh mire.hcoop.net fs checkvolumes
229 # Finally, set password for main user's principal
230 # Aborting this operation is harmless. Just re-invoke cpw.
232 # kadmin.local doesn't report errors properly, so we have to
235 sudo
rm -f /tmp
/kadmin.out
236 sudo kadmin.
local -p root
/admin
-q "cpw $USER@HCOOP.NET" \
237 2>&1 |
tee /tmp
/kadmin.out
238 cat /tmp
/kadmin.out |
grep 'Password for .* changed'
239 sudo
rm -f /tmp
/kadmin.out