Adding a user to the Lewin.nu domain

This information is both for lewin.nu users, and other server domains such as voxi.com and flaggan10.se.

Kinds of users

There are multiple user registries in the Lewin.nu domain: UNIX users, Kerberos domain principals, AFS users, e-mail users and e-mail aliases. Ideally, users should only be registered in the domains that they need, to keep security tight.

Subversion users

For a user to access subversion, the user must be registered as a Kerberos principal (but not as a UNIX user), and must also be added to the access control list for the subversion repository.
The access control list for subversion repositories is the "require user" list in the "Location" section of the relevant web site configuration in "/etc/apache/httpd.conf". After modifying this file, Apache must be restarted with "/usr/sbin/apachectl restart".

Adding a Kerberos principal

To add a kerberos user, you must be a kerberos administrator.

Use the /usr/sbin/kadmin program:
erl@sol:~$ /usr/sbin/kadmin
kadmin> add testuser
erl/admin@LEWIN.NU's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
testuser@LEWIN.NU's Password:
Verifying - testuser@LEWIN.NU's Password:
kadmin> quit
erl@sol:~$
Defaults will be fine.

Adding an AFS user

First, make sure the user exists as a Kerberos principal, because AFS uses Kerberos for authentication.
Then do:

erl@sol:~$ pts createuser testuser
User testuser has id 2643
erl@sol:~$
Optionally, you might want to create a group for users with "pts creategroup" and then add users to the group with "pts adduser".

Adding a UNIX user

Create the user with the /usr/sbin/useradd command (and groups with the groupadd command). Try to minimize the number of UNIX users for security reasons, and only allow users to log in if neccessary-

Adding a Kerberos adminstrator

For a user to be able to adminstrate other users in Kerberos, the following thing should be done: