[OpenAFS] Cron, script and keytab on Ubuntu x86
Thu, 15 Feb 2007 10:29:05 -0800
Jacob Volstrup <firstname.lastname@example.org> writes:
> With klist I got the information needed to find out that a new cronjob
> is running within the same environment as the previous cronjob (as my
> suspicion was telling me). This kind of explains why the token does not
> remain for the first occurrence of the cronjob.
> Now I just have to find out how to let each cronjob run in their very
> own environment. I have been looking at my pam configuration but cannot
> seem to find any errors or solutions. Maybe I need another option in my
> pam configuration?
Your problem, specifically, is:
> # /etc/pam.d/common-session
> session optional pam_krb5.so
> session optional pam_openafs_session.so
> session required pam_unix.so
pam_openafs_session will blow away tokens acquired by cron jobs when the
PAM session for the cron job closes.
You have a few options. One is that you could use k5start inside your
cron job, since it creates a new PAG and then runs the command with
tickets and tokens inside that PAG. See:
Another option is to run your script inside pagsh, which will create a new
PAG and then exec /bin/sh (so you can use it on the #! line of a script,
but not a Perl script of course).
A third option is to use the AFS Perl module and call its setpag function
in your script to put your script in a new PAG. We do this a lot.
A fourth option would be to replace pam_openafs_session with
It doesn't have this problem. It only destroys tokens if it created
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>