How To Add Users » History » Version 1
Joseph Foley, 2015-09-05 02:51
| 1 | 1 | Joseph Foley | h1. How To Add Users to the Kerberos/AFS Servers |
|---|---|---|---|
| 2 | |||
| 3 | The steps in this guide should work on any machine with properly setup Kerberos and AFS clients: [[AFS_Clients]] |
||
| 4 | It is also possible to ssh login to gryla.dev.objid.net and do everything there. |
||
| 5 | |||
| 6 | |||
| 7 | h2. Add a Kerberos principal for the new user |
||
| 8 | |||
| 9 | * guide: http://techpubs.spinlocksolutions.com/dklar/kerberos.html#krb-adduser-ticket |
||
| 10 | |||
| 11 | # use the kerberos administration tool (for admin password see [[Kerberos]]): |
||
| 12 | <pre> |
||
| 13 | $ kadmin -p root/admin |
||
| 14 | Authenticating as principal root/admin with password. |
||
| 15 | Password for root/admin@DEV.RU.IS: |
||
| 16 | kadmin: |
||
| 17 | </pre> |
||
| 18 | # add new user principle <pre>addprinc -policy user <USERNAME></pre> |
||
| 19 | # log off <pre>quit</pre> |
||
| 20 | |||
| 21 | h2. Use the newuser-batch.sh script |
||
| 22 | |||
| 23 | In the devnet project under Machines/AFSCELL1 there is a script called newuser-batch.sh. This takes care of most of the AFS creation opetations. |
||
| 24 | It still needs some work to be robust. |
||
| 25 | |||
| 26 | h2. Add user to AFS and create a home directory |
||
| 27 | |||
| 28 | * guide: http://techpubs.spinlocksolutions.com/dklar/afs.html#afs-install-client |
||
| 29 | |||
| 30 | # get AFS admin privileges (see [[Kerberos]] for admin password): <pre>$ kinit root/admin; aklog</pre> |
||
| 31 | # check if you have the token: |
||
| 32 | <pre> |
||
| 33 | $ tokens |
||
| 34 | |||
| 35 | Tokens held by the Cache Manager: |
||
| 36 | |||
| 37 | User's (AFS ID 1) tokens for afs@dev.ru.is [Expires Mar 31 01:16] |
||
| 38 | --End of list-- |
||
| 39 | </pre> |
||
| 40 | # create AFS user (*use the same user id!*) |
||
| 41 | <pre>$ pts createuser <USERNAME></pre> |
||
| 42 | # create a volume for the user (20000 is the quota in kB) |
||
| 43 | <pre>$ vos create gryla.dev.objid.net a user.<USERNAME> 20000</pre> |
||
| 44 | # check with |
||
| 45 | <pre>vos examine user.USERNAME</pre> |
||
| 46 | # mount the volume to a proper location |
||
| 47 | ** we will use the hashed schema with <DIR>=<FIRSTLETTER>/<FIRSTLETTER><SECONDLETTER>, where <FIRSTLETTER> and <SECONDLETTER> are the first and second letter of the user id |
||
| 48 | <pre> |
||
| 49 | $ cd /afs/dev.ru.is/user |
||
| 50 | $ mkdir -p <DIR> |
||
| 51 | $ fs mkm <DIR>/<USERNAME> user.<USERNAME> -rw |
||
| 52 | </pre> |
||
| 53 | # set permissions to allow the user full access |
||
| 54 | <pre> |
||
| 55 | $ fs sa <DIR>/<USERNAME> <USERNAME> all |
||
| 56 | </pre> |
||
| 57 | # check permissions |
||
| 58 | <pre> |
||
| 59 | $ fs la <DIR>/<USERNAME> |
||
| 60 | Access list for <DIR>/<USERNAME> is |
||
| 61 | Normal rights: |
||
| 62 | system:administrators rlidwka |
||
| 63 | <USERNAME> rlidwka |
||
| 64 | </pre> |
||
| 65 | # check if it works (switch from admin to <USERNAME> and try to create and read a file) |
||
| 66 | <pre> |
||
| 67 | $ unlog; kdestroy |
||
| 68 | $ kinit <USERNAME>; aklog |
||
| 69 | Password for <USERNAME>@DEV.RU.IS: |
||
| 70 | $ cd /afs/dev.ru.is/user/<DIR>/<USERNAME> |
||
| 71 | $ echo IT WORKS > test |
||
| 72 | $ cat test |
||
| 73 | IT WORKS |
||
| 74 | $ rm test |
||
| 75 | </pre> |