How To Add Users to the Kerberos/AFS Servers¶

The steps in this guide should work on any machine with properly setup Kerberos and AFS clients: AFS_Clients
It is also possible to ssh login to gryla.dev.objid.net and do everything there.

Add a Kerberos principal for the new user¶

• guide: http://techpubs.spinlocksolutions.com/dklar/kerberos.html#krb-adduser-ticket

1. use the kerberos administration tool (for admin password see Kerberos):
   

   $ kadmin -p root/admin
   Authenticating as principal root/admin with password.
   Password for root/admin@DEV.RU.IS: 
   kadmin:
   

2. add new user principle

   addprinc -policy user <USERNAME>

3. log off

   quit

Use the newuser-batch.sh script¶

In the devnet project under Machines/AFSCELL1 there is a script called newuser-batch.sh. This takes care of most of the AFS creation opetations.
It still needs some work to be robust.

Add user to AFS and create a home directory¶

• guide: http://techpubs.spinlocksolutions.com/dklar/afs.html#afs-install-client

1. get AFS admin privileges (see Kerberos for admin password):

   $ kinit root/admin; aklog

2. check if you have the token:
   

   $ tokens 
   
   Tokens held by the Cache Manager:
   
   User's (AFS ID 1) tokens for afs@dev.ru.is [Expires Mar 31 01:16]
      --End of list--
   

3. create AFS user (use the same user id!)
   

   $ pts createuser <USERNAME>

4. create a volume for the user (20000 is the quota in kB)
   

   $ vos create gryla.dev.objid.net a user.<USERNAME> 20000

5. check with
   

   vos examine user.USERNAME

6. mount the volume to a proper location
   • we will use the hashed schema with <DIR>=<FIRSTLETTER>/<FIRSTLETTER><SECONDLETTER>, where <FIRSTLETTER> and <SECONDLETTER> are the first and second letter of the user id
     

     $ cd /afs/dev.ru.is/user
     $ mkdir -p <DIR>
     $ fs mkm <DIR>/<USERNAME> user.<USERNAME> -rw
     

7. set permissions to allow the user full access
   

   $ fs sa <DIR>/<USERNAME> <USERNAME> all
   

8. check permissions
   

   $ fs la <DIR>/<USERNAME>
   Access list for <DIR>/<USERNAME> is
   Normal rights:
     system:administrators rlidwka
     <USERNAME> rlidwka
   

9. check if it works (switch from admin to <USERNAME> and try to create and read a file)
   

   $ unlog; kdestroy
   $ kinit <USERNAME>; aklog
   Password for <USERNAME>@DEV.RU.IS: 
   $ cd /afs/dev.ru.is/user/<DIR>/<USERNAME>
   $ echo IT WORKS > test
   $ cat test
   IT WORKS
   $ rm test