[OpenAFS] Cron jobs without service keytab

Russ Allbery rra@stanford.edu
Fri, 09 Apr 2004 12:03:24 -0700


Lukas Kubin <kubin@opf.slu.cz> writes:

> I would like to allow common users of our Linux servers to run cronjobs
> with access to AFS. I don't want the solution of creating additional
> principals for running their cronjobs.

> Instead I would only let the cron daemon process run with afs privileges
> of principal, say cron/servername. Then the users would set ACL on
> directory they wished to be accessed by cron daemon and edited their
> crontab entries.

> That is a simple way we use eg. with Apache accessing users' home
> directories. However, it is probably not possible with standard (Vixie)
> cron, because it uses several PAM modules before running the users' cron
> jobs.

> Don't you know of any solution to this?

Run the cron jobs under a program that obtains Kerberos tickets and an AFS
token.  One way would be to add that wrapper to every user's cron job
(either by telling users to do that or by putting some sort of wrapper
around crontab).  Another way would be to run crond itself with an AFS
token for all jobs that it kicks off.  The best way to do that would be to
run crond inside a PAG and run a process also inside that PAG that obtains
and periodically renews a token.

<http://www.eyrie.org/~eagle/software/kstart/> is one such program that
you could potentially use.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>