diff --git a/hosts/skydick/DATAPOOL.md b/hosts/skydick/DATAPOOL.md index 6216d2e..50d919c 100644 --- a/hosts/skydick/DATAPOOL.md +++ b/hosts/skydick/DATAPOOL.md @@ -46,6 +46,51 @@ The bootstrap LDIF for the Samba domain object, the LDAP `storage` group, and the machine OU is checked in at [`samba-ldap-bootstrap.ldif`](samba-ldap-bootstrap.ldif). +## Quick start + +### What a user needs before using the data pool + +- A real LDAP account under `ou=people,dc=skyw,dc=top` +- For shared `public` and `media` access: membership in LDAP group + `cn=storage,ou=posix_groups,dc=skyw,dc=top` +- For private personal storage: a provisioned `/srv/users/` subtree on `skydick` +- For SMB: one-time admin bootstrap with `smbpasswd -a ` + +After the one-time SMB bootstrap, your ongoing password is your LDAP password. Change it through +the LDAP password-change flow, not routine `smbpasswd` use. + +### What an admin must do before telling a user "it is ready" + +1. Create or verify the LDAP `posixAccount` for the user. +2. Add the user's `uid` to LDAP group `storage` if they should access `public` and `media`. +3. If the user needs private storage, provision the per-user Nix export/tmpfiles entries and the + ZFS subtree under `dick/users/`. +4. Deploy the updated `skydick` NixOS configuration if step 3 changed it. +5. If the user needs SMB, run `smbpasswd -a ` once on `skydick`. +6. If the bootstrap password was admin-set, tell the user to immediately change it through the LDAP + password-change flow. +7. Verify `getent passwd `, `zfs list -r dick/users/` if applicable, and + `pdbedit -L | grep '^:'` if SMB was enabled. + +## Password rules + +- First SMB use: admin runs `smbpasswd -a ` on `skydick` once to create the user's + `sambaSamAccount` in LDAP. +- Normal password changes after that: use the LDAP password web UI or `ldappasswd`. +- Do not use `smbpasswd` as the normal password-change workflow. It is for first-time SMB bootstrap + and emergency repair only. + +Example `ldappasswd` command for users who have LDAP CLI access: + +```bash +ldappasswd -x -H ldap://10.0.0.1 \ + -D "uid=,ou=people,dc=skyw,dc=top" \ + -W -S "uid=,ou=people,dc=skyw,dc=top" +``` + +This changes the LDAP password, and the LDAP server keeps Samba password hashes aligned for users +that already have a `sambaSamAccount`. + ## Connecting via SMB (Windows / macOS / Linux GUI) ### Windows @@ -58,10 +103,10 @@ \\10.0.1.1\ ``` -When prompted, enter your SMB credentials. For a user's first SMB login, an admin must bootstrap -the account once on skydick with `smbpasswd -a `, which creates the LDAP -`sambaSamAccount` data for that user. After that, change passwords through the LDAP password UI -or `ldappasswd` so LDAP remains authoritative and SMB stays in sync. +When prompted, enter your LDAP password after the one-time SMB bootstrap. For a user's first SMB +login, an admin must bootstrap the account once on skydick with `smbpasswd -a `, which +creates the LDAP `sambaSamAccount` data for that user. After that, change passwords through the +LDAP password UI or `ldappasswd` so LDAP remains authoritative and SMB stays in sync. ### macOS @@ -177,6 +222,16 @@ host in 10.0.0.0/16 that mounts your export will write as you. NFS does not authenticate — it trusts the network. For stronger isolation, use SMB (which requires a password). +### First-time user checklist + +1. Confirm your LDAP username with the admin. +2. Confirm whether you should have only a private home, or also shared `public` and `media` + access via LDAP group `storage`. +3. If you will use SMB, ask the admin whether your first-time SMB bootstrap has been done. +4. If the admin set a temporary SMB password for bootstrap, change it immediately through the LDAP + password-change flow. +5. Connect with either SMB or NFS using the paths in this guide. + ### Per-user subtree layout ``` @@ -199,9 +254,13 @@ VM zvols (block devices for iSCSI) are created as ZFS children of `dick/users//vm/` and are managed by the admin. They are not visible in the filesystem tree. -## Adding a new user +## Admin runbook -Admin procedure — run on skydick as root: +The workflow below is the full procedure for onboarding a new data-pool user. + +### Adding a new user + +Admin procedure — run on skydick as root unless a step explicitly happens on the LDAP host: ### 1. Create or verify the user in LDAP @@ -332,6 +391,40 @@ exportfs -ra ``` +### 8. Verify before handing over to the user + +```bash +getent passwd +id +zfs list -r dick/users/ +exportfs -v | grep "/srv/users/" +``` + +If SMB was enabled: + +```bash +pdbedit -L | grep "^:" +``` + +Then tell the user: + +- Their exact username +- Whether they have `public` / `media` access or only the private home +- Whether SMB bootstrap is done +- To use the LDAP password-change flow for future password changes + +### Existing user enabling SMB for the first time + +If a user already exists in LDAP and already has the private dataset/export, but has never used SMB +before, only this step is needed: + +```bash +smbpasswd -a +``` + +After that, the user should change the password through the LDAP password-change flow if the admin +set the initial value. + ## Quotas When a user's `dick/users/` dataset exists, its ZFS quota (default 10TB in the examples @@ -399,6 +492,8 @@ bootstrap the `sambaSamAccount` - After bootstrap, change the password through the LDAP password UI or `ldappasswd` so Unix and SMB passwords stay aligned +- If `pdbedit -L` shows the user but SMB still fails, reset with `smbpasswd -a ` and then + have the user change the password again through the LDAP password-change flow - If `public` or `media` access fails but the home share works, check LDAP `storage` membership and verify the `memberUid` list for `cn=storage,ou=posix_groups,dc=skyw,dc=top` diff --git a/hosts/skydick/README.md b/hosts/skydick/README.md new file mode 100644 index 0000000..4c96761 --- /dev/null +++ b/hosts/skydick/README.md @@ -0,0 +1,14 @@ +# Skydick + +`skydick` is the multi-user data-pool host at `10.0.1.1`. + +The full user guide and admin runbook live in [`DATAPOOL.md`](./DATAPOOL.md). + +That document covers: + +- what users need before they can use the pool +- what admins must provision for LDAP, ZFS, NFS, and SMB +- one-time SMB bootstrap versus normal LDAP password changes +- share paths for SMB and NFS +- per-user dataset layout +- verification and troubleshooting