docelic wrote:
On Thu, Jan 31, 2008 at 05:49:58PM +0000, [EMAIL PROTECTED] wrote:
For centralized user metadata, again, in our setup with AFS, we use
LDAP. It's working very well. We have user creation script that
synchronizes Unix/LDAP and AFS (Coda) user IDs and names, and Krb and
Coda passwords.
While Rune has a point, I think that the only bearable way to implement
AFS or Coda in a Unix network is to have user names and IDs synced.
Especially when it's not a big deal to do that at all, just make one
script that admins invoke when creating a user.
Thanks for all that. While this does sound interesting, I'd rather not
throw LDAP into the mix as well if I can at all help it.
Then you can look at Frank Burkhardt's nss-ptdb (part of InstantAFS
project). It's a NSS module similar to libnss-ldap, but it retrieves
user info from AFS ptdb instead of from LDAP.
http://instantafs.cbs.mpg.de/ , even though it seems to be down ATM.
I don't speak German, so that site is quite incomprehensible. :-(
That could be adjusted to read from Coda's user db instead. Extra
benefit is that you don't have to sync passwd files around, and
names in 'ls' match the real usernames.
Sounds ideal! :-)
Drawbacks are that you still need to edit /etc/group locally,
there's no place for storing GECOS info, and users need to choose
their default shell by symlinking ~/.login_shell to the shell
of their choice.
I don't consider GECOS to be important, and symlinking ~/.login_shell is
pretty trivial (I presume a default can be set?). Working around local
/etc/group editing is less of a problem as that can be synced up without
risking bricking the machine that is thousands of miles away (which is
far too easy to achieve by damaging the passwd and shadow files).
I don't know, but I think that Coda does have a GECOS field in its
db, so the GECOS issue (people's real names) could be solved that way.
And for group
membership, you could probably make nss-coda look into a shared
version of /etc/group on the server and return info based on that.
That would be even better. :-)
I was actually just thinking about something this ever since Rune
mentioned building the system around Coda, rather than the other way
around. Authenticate logins against Coda's user database. All I have to
do now is figure out how to adapt this nss module to work with coda.
Something tells me that it won't "just work" as it is...
Gordan
