welcome: please sign in

The following 224 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
above   Account   account   accounts   action   actively   ad   add   addprinc   adduser   Administration   afs   aid   allow   already   an   and   any   appropriate   are   around   as   assigned   at   auth   automated   basis   be   because   before   being   bin   by   can   Category   caution   cg   cgis   Change   chmod   chosen   chown   close   command   configurations   controlled   create   creates   creating   Creating   cu   daemon   deleuze   directory   do   documentation   does   doesn   domtool   don   done   Ds   ensures   etc   exec   exist   export   extract   file   files   final   follow   Follow   following   for   form   general   General   generic   give   group   hcoop   here   home   host   hostname   human   if   important   improved   in   Info   init   installing   instance   invocation   is   it   itself   just   k5start   kadmin   kept   kerberos   Kerberos   key   keys   keytab   keytabs   ktadd   later   like   line   local   log   make   Management   manually   may   mess   misleading   Mit   modify   Mostly   must   mysql   need   needed   Needs   net   never   non   not   notes   Obsolete   of   on   Open   openafs   Or   or   original   Outdated   ownership   pagsh   passwd   permissions   pid   pidfile   policy   postgres   postgresql   postinst   principal   principle   procedure   proceed   process   processes   properly   provides   pts   randkey   random   range   reported   reserved   rm   run   script   scripts   serve   Service   service   services   shared   shell   should   sleep   so   Some   space   specific   ssh   start   still   stop   such   sure   System   system   that   The   the   these   things   This   those   through   to   top   traditional   uids   Unix   up   update   use   User   user   usr   usually   var   via   way   Web   websites   wheel   will   with   Work   would   writing   You   you  

Clear message
Edit

PrincipalsForNonHumans

Creating the basis of an account for a non-human user that provides a shared service is automated through a shell script (UserManagement).

The automated process creates a kerberos principal with a random key and an afs home directory for the user. You will need to manually extract the keytab to the appropriate notes, and update any configurations to use the principle as needed.

The process of creating a service key (e.g. postgres/$host.hcoop.net) is not automated. Follow the GSSAPI documentation of the appropriate service.

1. General Service Account

TBD, general processes for generic services accounts that don't need to do things like serve websites

2. System Service Account

TBD: process for things like postgresql, ssh, ... that use a traditional MitKerberos service/$host principal to allow GSSAPI auth

3. Web Service Account

TBD: process for accounts that will run cgis, usually controlled by the hcoop user via domtool, and that can never log in

4. Obsolete Info

Some of these things may be actively misleading, proceed with caution. This is being kept around to aid in writing the improved documentation above.

here's the final procedure you should follow (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):

1. create local user SERVICE in /etc/passwd:

2. create Kerberos principal:

kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"

3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:

kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"
chown SERVICE:wheel /etc/keytabs/SERVICE.HOST
chmod 440 /etc/keytabs/SERVICE.HOST

4. create OpenAFS user SERVICE.HOST

      pts cu SERVICE.HOST.hcoop.net

5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:

pts cg SERVICE
pts ad SERVICE.HOST SERVICE

6. modify service's init script in /etc/init.d/ in the following way:

start-stop-daemon --start --pidfile $PIDFILE \
 -c SERVICE:SERVICE \
 --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \
 -K 300 -t -p $PIDFILE \
 <The original start command>

start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
  -c SERVICE:SERVICE \
  --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \
  -f /etc/keytabs/SERVICE.`hostname`
sleep 2

start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid
rm -f /var/run/SERVICE/k5start-SERVICE.pid

7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").


CategorySystemAdministration CategoryNeedsWork CategoryOutdated

PrincipalsForNonHumans (last edited 2013-01-11 08:52:51 by ClintonEbadi)