Hey folks,
I was pretty efficient this evening and implemented on Deleuze all the
stuff from previous email. (And daemons work again).
Here are the notes/questions for the other admins.. mostly for Adam M.
and/or Adam C.:
1) Do hcoop and domtool users need USER.cgi and USER.mailfilter
principals (and everything that goes with them)?
2) User 'domtool' is dedicated to domtool; what does 'hcoop' user
serve for?
3) Why is nss-ptdb resolving AFS groups into usernames? If you have
AFS group "X" and type 'id X' on command line, it will resolve
X as a user... is this behavior generally wanted?
4) I implemented user/groups scheme for services as described in previous
mail, but groups are named SERVICE.service, not simply SERVICE.
(To prevent nss-ptdb resolving them as user names, as said above..)
5) Directory /afs/hcoop/common/databases/USERNAME wants mode
mysql.service rl
postgres.service rl
so please add that to database creation procedures.
Actually,
in PTS, there is group 'databases' which contains groups mysql.service
and postgres.service. (And those two groups contain mysql.deleuze
and postgres.deleuze users). I tried setting permission simply to
'databases rl', but it didn't work until I explicitely added
'postgres.service rl; mysql.service rl'. Any explanation? Don't
groups work for "multiple levels"?
6) I've re-organized keytabs in /etc/keytabs/ . I removed the .keytab
extension from all files, and renamed 'email/' directory to
'mailfilter/' (since it holds USER.mailfilter keys anyway).
I've created new keytabs as said in previous mail, to be in form
service.host where needed.
I have modified exim4/get-token, create-user, destroy-user and
all init scripts and even a few domtool files in adamc's
~/cvs/ directory to reflect this. (Adamc, run cvs diff in there
to see the 3 or 4 lines I've changed).
7) As said, I've modified some domtool scripts in both /etc/init.d/
and in adamc's ~/cvs/. But other scripts (mysql, apache..)
I modified only in /etc/init.d/ , so whoever is taking care of
committing them to cvs, please do.
8) While trying to run domtool, I noticed it's not giving any error
message if it can't write its log file. Adamc you could add some
message in that case.
9) domtool-server says it wants to start, but exits with that OpenSSL
permission denied message that I initially reported. At this point,
Adamc I leave it to you.
10) Adamc please tune permissions on and in /afs/hcoop.net/usr/hcoop/ .
If you want hcoop to own them, chown hcoop. If you want apache,
chown to www-data.service .
11) I made sure named.log (for Justin) now always has proper perms
12) Domtool uses /etc/keytabs/root.admin.keytab when it wants admin
privs. That file contains keys for root/admin principal and
root.admin PTS user. Let's leave it at that for now; we'll
see what to do with it later...
13) Finally, I think the permissions in /afs/hcoop/ are in line
with all the changes, but if not - that's easy to adjust.
Cya,
-doc
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
