[OpenAFS] Problems giving a daemon process permanent access to AFS

Marcus Watts mdw@umich.edu
Thu, 01 Feb 2007 15:46:17 -0500

Bastian <dea1306@melvex.xs4all.nl> writes:
> I am running an unattended daemon process that needs access to the AFS 
> filespace.
> I have some scripts running from /etc/init.d/ under a specific user, 
> getting the kerberos credentials, getting the tokens and then running 
> the process. This works fine... until the tokens expire.
> In this case, losing access to the files under /afs makes the process 
> abort. I tried to keep the process running, by using a cron-job under 
> the same user, that gets fresh credentials and tokens. Still, the 
> process aborts the moment the original tokens expire.
> As far a I understand, the process should retain access to /afs, using 
> the new tokens, because tokens created by daemon processes are bound to 
> the user only.  I assumed that processes started from init.d and 
> processes started from cron that run under the same user share the tokens.
> Does anyone know why this doesn't work? Or is there a better way to do this?
> I am using Debian 4.0, Kerberos5 1.4.4 and OpenAFS 1.4.2

Most likely you actually want to run these scripts inside a pag (so that
if the same "user" logs in they don't share the same tokens), and you
want to run something that periodically renews the kerberos 5 ticket
and credentials -- probably *not* using a cron job but instead
part of the script environment itself.

There are lots of ways to do this.  A simple modern way would be to use
Russ Allbery's "kstart":

... and cclausen beat me to saying this.

					-Marcus Watts