[OpenAFS] Problems giving a daemon process permanent access to AFS
Marcus Watts
mdw@umich.edu
Thu, 01 Feb 2007 15:46:17 -0500
Bastian <dea1306@melvex.xs4all.nl> writes:
...
> I am running an unattended daemon process that needs access to the AFS
> filespace.
>
> I have some scripts running from /etc/init.d/ under a specific user,
> getting the kerberos credentials, getting the tokens and then running
> the process. This works fine... until the tokens expire.
>
> In this case, losing access to the files under /afs makes the process
> abort. I tried to keep the process running, by using a cron-job under
> the same user, that gets fresh credentials and tokens. Still, the
> process aborts the moment the original tokens expire.
>
> As far a I understand, the process should retain access to /afs, using
> the new tokens, because tokens created by daemon processes are bound to
> the user only. I assumed that processes started from init.d and
> processes started from cron that run under the same user share the tokens.
>
> Does anyone know why this doesn't work? Or is there a better way to do this?
>
> I am using Debian 4.0, Kerberos5 1.4.4 and OpenAFS 1.4.2
...
Most likely you actually want to run these scripts inside a pag (so that
if the same "user" logs in they don't share the same tokens), and you
want to run something that periodically renews the kerberos 5 ticket
and credentials -- probably *not* using a cron job but instead
part of the script environment itself.
There are lots of ways to do this. A simple modern way would be to use
Russ Allbery's "kstart":
http://www.eyrie.org/~eagle/software/kstart/
... and cclausen beat me to saying this.
-Marcus Watts