Coda File System

Re: Coda for home directories and NIS vs. Kerberos

From: <coda_at_bobich.net>
Date: Thu, 31 Jan 2008 20:52:08 +0000
docelic wrote:
> On Thu, Jan 31, 2008 at 05:49:58PM +0000, coda_at_bobich.net wrote:
>>> For centralized user metadata, again, in our setup with AFS, we use
>>> LDAP. It's working very well. We have user creation script that
>>> synchronizes Unix/LDAP and AFS (Coda) user IDs and names, and Krb and
>>> Coda passwords.
>>>
>>> While Rune has a point, I think that the only bearable way to implement
>>> AFS or Coda in a Unix network is to have user names and IDs synced.
>>> Especially when it's not a big deal to do that at all, just make one
>>> script that admins invoke when creating a user.
>> Thanks for all that. While this does sound interesting, I'd rather not 
>> throw LDAP into the mix as well if I can at all help it.
> 
> Then you can look at Frank Burkhardt's nss-ptdb (part of InstantAFS
> project). It's a NSS module similar to libnss-ldap, but it retrieves
> user info from AFS ptdb instead of from LDAP.
> 
> http://instantafs.cbs.mpg.de/ , even though it seems to be down ATM.

I don't speak German, so that site is quite incomprehensible. :-(

> That could be adjusted to read from Coda's user db instead. Extra
> benefit is that you don't have to sync passwd files around, and 
> names in 'ls' match the real usernames.

Sounds ideal! :-)

> Drawbacks are that you still need to edit /etc/group locally, 
> there's no place for storing GECOS info, and users need to choose
> their default shell by symlinking ~/.login_shell to the shell 
> of their choice.

I don't consider GECOS to be important, and symlinking ~/.login_shell is 
pretty trivial (I presume a default can be set?). Working around local 
/etc/group editing is less of a problem as that can be synced up without 
risking bricking the machine that is thousands of miles away (which is 
far too easy to achieve by damaging the passwd and shadow files).

> I don't know, but I think that Coda does have a GECOS field in its
> db, so the GECOS issue (people's real names) could be solved that way.
> 
> And for group
> membership, you could probably make nss-coda look into a shared
> version of /etc/group on the server and return info based on that.

That would be even better. :-)

I was actually just thinking about something this ever since Rune 
mentioned building the system around Coda, rather than the other way 
around. Authenticate logins against Coda's user database. All I have to 
do now is figure out how to adapt this nss module to work with coda. 
Something tells me that it won't "just work" as it is...

Gordan
Received on 2008-01-31 15:54:04