Adding a user to the Lewin.nu domain
This information is both for lewin.nu users, and other server domains such
as voxi.com and flaggan10.se.
Kinds of users
There are multiple user registries in the Lewin.nu domain: UNIX users,
Kerberos domain principals, AFS users, e-mail users and e-mail aliases.
Ideally, users should only be registered in the domains that they need,
to keep security tight.
Subversion users
For a user to access subversion, the user must be registered as a Kerberos principal (but not as a UNIX user), and must also be added to the access control list for the subversion repository.
The access control list for subversion repositories is the "require user" list
in the "Location" section of the relevant web site configuration in
"/etc/apache/httpd.conf". After modifying this file, Apache must be restarted with "/usr/sbin/apachectl restart".
Adding a Kerberos principal
To add a kerberos user, you must be a kerberos administrator.
Use the /usr/sbin/kadmin program:
erl@sol:~$ /usr/sbin/kadmin
kadmin> add testuser
erl/admin@LEWIN.NU's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
testuser@LEWIN.NU's Password:
Verifying - testuser@LEWIN.NU's Password:
kadmin> quit
erl@sol:~$
Defaults will be fine.
Adding an AFS user
First, make sure the user exists as a Kerberos principal, because AFS uses Kerberos for authentication.
Then do:
erl@sol:~$ pts createuser testuser
User testuser has id 2643
erl@sol:~$
Optionally, you might want to create a group for users with "pts
creategroup" and then add users to the group with "pts adduser".
Adding a UNIX user
Create the user with the /usr/sbin/useradd command (and groups with the
groupadd command). Try to minimize the number of UNIX users for
security reasons, and only allow users to log in if neccessary-
Adding a Kerberos adminstrator
For a user to be able to adminstrate other users in Kerberos, the following thing should be done:
- The user should have a Kerberos principal that looks like <username>/admin. For exampel: mst/admin
- The principal should have Kerberos rights set in the /var/heimdal/kadmind.acl file.