• Services
• Club Kerberos

Adding a new admin

Common Maintenance Tasks/Adding an admin principal

Machines

KDCs: barium, sodium, potassium

AFS: vos listaddrs and go down the list to see which ones are current, and "gafs" as well (though this one isn't so critical, as it won't cause the new account script to barf if you forget

Binary Log Explosion

(09:17:22 PM) Keith Bare: POTASSIUM did that annoying that it does every once in awhile
(09:17:32 PM) Keith Bare: 
potassium:/var/lib# ls -hl heimdal-kdc/log
-rw------- 1 root root 486M 2012-08-20 21:16 heimdal-kdc/log

(09:17:41 PM) Keith Bare: 
potassium:/var/lib# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/xvda1           1020M 1020M     0 100% /
tmpfs                  63M     0   63M   0% /lib/init/rw
udev                   10M   24K   10M   1% /dev
tmpfs                  63M     0   63M   0% /dev/shm

(09:17:42 PM) mkasick: hurrah
(09:18:05 PM) Keith Bare: I don't recall how you "fixed" it though
(09:18:09 PM) mkasick: oh
(09:18:15 PM) mkasick: the log file is ipropd, iprop blewup
(09:18:51 PM) mkasick: fix is to stop the kdc and ipropd-slave on potassium, rm /var/heimdal/log, mv /var/heimdal/heimdal.db /tmp; restart iprop; wait for sync; then restart the kdc and optionally remove the old databse
(09:19:11 PM) mkasick: you shouldn't have to restart ipropd-master on sodium, but if it goes crazy again, perhaps that's also advisable
(09:19:21 PM) Keith Bare: ok
(09:20:37 PM) Keith Bare: yeah, BARIUM too
(09:20:42 PM) mkasick: oh
(09:20:48 PM) mkasick: yeah in that case kill ipropd-master on sodium
(09:21:19 PM) mkasick: kill ipropd-slaves; blow away potassium/barium log files, rename old dbs, start ipropd-master, ipropd-slaves, let resync, then restart kdcs
(09:21:24 PM) mkasick: sodium kdc can stay up though
(09:21:41 PM) mkasick: there's a sodium:/var/heimdal/slave-stats files that will register when the new slaves have the latest version
(09:30:05 PM) Keith Bare: ok, looks like it's fixed now
(09:30:16 PM) mkasick: cool

Account Expiration Mailings

By default, we set up club users with Kerberos principals that expire after two years, though we are happy to renew accounts on request. (Mainly, we want to avoid having unused accounts with potentially weak passwords lying around waiting to get hacked.)

In 2006, mkasick put together some scripts (and relevant ruby libraries) for identifying expiring accounts, sending reminder emails about account expirations, and renewing accounts.

Source code:

• Robust System library: https://svn.club.cc.cmu.edu/cclub/rsystem/trunk

• Kadmin library: https://svn.club.cc.cmu.edu/cclub/ruby-kadmin/trunk

• Scripts: https://svn.club.cc.cmu.edu/cclub/krb-exp-scripts/trunk

Originally the scripts and libraries required ruby 1.8.x and the version of heimdal kadmin in sarge and etch. However, in 2014, kbare updated them to work with ruby 1.9.x and the version of heimdal kadmin in wheezy. For future maintenance, the main thing to watch out for relating to kadmin is additional output from "kadmin get".

Installation:

• Install the Debian packages for the appropriate version of ruby (e.g., for wheezy, ruby1.9.1)

• Install the ruby-mail package

• Install the two ruby libraries in appropriate directories under /usr/local/stow; then use stow to link them into /usr/local

• Add the sibyl user to the system

• Ensure sibyl has an entry in /etc/shadow (so she can run cron jobs)

• Set up sibyl.keytab
• Install the scripts into ~sibyl/

• Set up a cron job that executes mail_exp.rb at 7:00am every day

CategoryServices CategoryMemberServices