[OpenAFS] Problems giving a daemon process permanent access to AFS

Earl Shannon Earl_Shannon@ncsu.edu
Thu, 01 Feb 2007 15:57:47 -0500


I don't know what all your security considerations are, but I'd suggest 
you create an IP ACL
in the filespace the daemon needs to access. If the server doesn't have 
other users on it
you should be ok.

An IP ACL allows anyone coming from that IP addess to have the 
permissions given in
the ACL.  So if this is a multi-user machine with other users this may 
not be a good idea.
For machines strictly in a server role this can work fine.

Earl Shannon

Bastian wrote:

> Hello all,
> I am running an unattended daemon process that needs access to the AFS 
> filespace.
> I have some scripts running from /etc/init.d/ under a specific user, 
> getting the kerberos credentials, getting the tokens and then running 
> the process. This works fine... until the tokens expire.
> In this case, losing access to the files under /afs makes the process 
> abort. I tried to keep the process running, by using a cron-job under 
> the same user, that gets fresh credentials and tokens. Still, the 
> process aborts the moment the original tokens expire.
> As far a I understand, the process should retain access to /afs, using 
> the new tokens, because tokens created by daemon processes are bound 
> to the user only.  I assumed that processes started from init.d and 
> processes started from cron that run under the same user share the 
> tokens.
> Does anyone know why this doesn't work? Or is there a better way to do 
> this?
> I am using Debian 4.0, Kerberos5 1.4.4 and OpenAFS 1.4.2
> Thanks in advance.
> Bastian
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info