[OpenAFS] Services running in AFS space

Ken Hornstein kenh@cmf.nrl.navy.mil
Thu, 05 Dec 2002 17:09:04 -0500

>My own university (Iowa State) skirts around the issue by not letting services
>run there in the first place. Except for the web servers who are rebooted every
>30 days to get a new kerberos ticket.

Basically, your only option (if you don't want to have a human type in a
password every so often) is to store a principal's key in a keytab, and
get a new ticket/token every so often.  We have a locally-written program
called "krb5run" that we use for this purpose.  It's probably got some
portability problems to a modern version of Kerberos, but I could
package it up if people are interested.

All of the other variants I've seen basically do the same thing, so the
only difference out there is probably program functionality and/or
Kerberos compatibility.