Davor Ocelic <[EMAIL PROTECTED]> writes:
> - added uid option to create-user
> - added ldap entries for user, user.cgi and user.mailfilter
> - added -policy option to kerberos invocations
> - added -p root/admin option to kadmin.local invocations as,
> when it's unspecified, defaults to whatever is the first principal in
> ticket cache, which ends up being www-data/apache or something like
> that..
> (kadmin still works, but it's not nice).
> - updated destroy-user in the same fashion
Sweet.
Also, now that we are running libnss-ptdb, there is no longer any need
to create entries in /etc/passwd. I've removed the "megacz" user from
deleuze:/etc/passwd, and everything still works fine (note: we should
use some other mechanism such as pam to restrict logins on deleuze).
In fact, I recommend we adopt a policy of never adding an entry to
/etc/passwd on any of hcoop's machines if a corresponding AFS identity
exists -- this runs the risk of them falling out of sync.
The only exception right now is the *_admin instances, because their
UNIX and AFS names don't match ("_" vs ".") so ptdb thinks there is no
megacz_admin and falls back to files+ldap. I could add this to
libnss-ptdb, but we should probably still leave the _admin entries in
/etc/passwd so we can log in if all redundant copies of the AFS
ptservers all die simultaneously (highly unlikely once we set up a
secondary ptserver).
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
