[OpenAFS] Cron, script and keytab on Ubuntu x86

Jacob Volstrup volstrup@s-et.aau.dk
Thu, 15 Feb 2007 17:02:49 +0100

tor, 15 02 2007 kl. 09:34 -0600, skrev Douglas E. Engert:
> > * The short version *
> > I have a keytab which is used from my cronscript. The script is executed
> > every 5 minutes and has a local non-AFS lockfile to prevent multiple
> > scripts working on data at the same time.
> > For convenience we call the running script R and the starting/checking
> > script S. The S script exits if the lockfile exists, if not it
> > initializes the AFS credentials with kinit and the keytab file and
> > becomes R. When S exits R will loose its AFS credentials, which is the
> > part I just do not understand as I would expect that the different
> > executions of the cronjob have their own running environment.
> Ubuntu has a /etc/pam.d/cron file. It calls common-account and
> common-session. Do you have any pam routines that could be deleting
> the token? It sounds like your job is not run in its own PAG
> so it using a shared PAG for the user the job is running under.
> Some debug options on the pam routines might show something.
> Add some klist and tokens commands to you script might also help.

With klist I got the information needed to find out that a new cronjob
is running within the same environment as the previous cronjob (as my
suspicion was telling me). This kind of explains why the token does not
remain for the first occurrence of the cronjob.

Now I just have to find out how to let each cronjob run in their very
own environment. I have been looking at my pam configuration but cannot
seem to find any errors or solutions. Maybe I need another option in my
pam configuration?

# /etc/pam.d/cron
@include common-auth
auth       required   pam_env.so
@include common-account
@include common-session
# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session    required   pam_limits.so

# /etc/pam.d/common-auth
auth    sufficient      pam_krb5.so
auth    required        pam_unix.so nullok_secure use_first_pass

# /etc/pam.d/common-account
account sufficient      pam_krb5.so
account required        pam_unix.so

# /etc/pam.d/common-session
session optional        pam_krb5.so
session optional        pam_openafs_session.so
session required        pam_unix.so

Sincerely, Jacob Volstrup