HAA

The Half-Admin Access or HAA system is a system to allow administrators to create accounts without full AFS administrative access. Currently it is in place on fiordland.

This system is needed because a user would normally need to be part of the  group in OpenAFS for the PTS entry for the user to the created. All other aspects of the account creation process can be done with just root privileges and special AFS directory ACLs, but the PTS entry creation requires an administrative user. There are no solutions to this short of modifying OpenAFS code, so instead the HAA system was created.

The system itself is very simple. Previously, there was a local "hadmin" user on the primary authentication server, which half-admins would log into, but that is no longer necessary. Instead, they can log in with their normal accounts (using their Kerberos password; note that only people in the "haa" group can log in). After that, then they just:

$ pagsh $ kinit /haa $ aklog $ sudo /afs/csl.tjhsst.edu/service/sysadmins/adduser-haa

The adduser-haa script is just a wrapper to adduser-haa.pl, which is in the same directory. Only "wheel" users have sudo access to the script. The script itself is just a modified adduser which uses its root privileges to authenticate using the "creator" keytab, and then proceeds to execute the normal account creation commands.