[OpenAFS-devel] Accomodating daemons

[Tommie Gannert]

Erik Osterman wrote:
> I have a question I've seen asked many times before. My problem is, I 
> haven't been able to find a solution that works for us.
> 

I'm not sure this should go to openafs-devel, but I'll leave that for 
others to decide.

> One solution I've seen is to wrap the process with an aklog system call 
> to obtain a token. Problem with this is that the token expires after a 
> maximum of 100 hours, which means every 100 hours we must restart the 
> processes on the node. If the daemon process forks off another process, 
> I'm not sure if the token is inherited; more over, if these are CGIs it 
> might be non-trvial to add the token request.
> 

(Note that I am a small-scale user...)

Since I use open-sourced stuff for everything, it was easy to write a 
small library (taken from Heimdal kinit) with esentially one public 
function that is run in the main loop of the daemon. This required 
trivial patches to Exim and Apache (the only daemons I needed AFS for).

Fork()ing shouldn't be a problem as long as its the same PAG, so it 
should be possible to extend aklog/kinit to stay in the background and 
renew the tokens once they expire.


> The other solution I've seen is to create users based on IPs or subnets. 
> This seems closest to what we want, however, doesn't work well (meaning, 
> requires admin intervention) when you want to grant IP/32 ACLs to 
> dynamic IPs. It would require custom scripting to accommodate.
> 

"requires admin intervention"?
Create a PTS-group and be happy?

> Since our machines are closed and mostly locked down, if I had it my 
> way, I'd have some sort of token that never expired (which doesn't 
> appear possible) and is available to any process running under any UID 
> on the server. Is there any solution close to this that can be implemented?
> 

"running under any UID on the server" is probably harder to get than 
either individual per daemon or host-based.

/Tommie
  - A small-scale user