[OpenAFS] upgrade caused script to stop working correctly

Jared Smith sjaredj@rfpdepot.com
Fri, 27 Jun 2008 10:55:45 -0600 

I am upgrading each of my developers testing environment and have 
upgraded from Kubuntu Edgy to Kubuntu Hardy.  In doing so the afs client 
is behaving differently.  On Edgy I ran a customized init script 
(afstokengrabber.sh) during boot that called another script (reauth.pl) 
that obtained a kerberos ticket and afs tokens for my apache/tomcat user 
(wwwrun) and renewed them about every 4 hours.  I do this because the 
web application is stored in their home dir which is on AFS.  This all 
worked fine.  Afstokengrabber.sh runs as root and has this line that 
calls reauth.pl

start-stop-daemon --start -c wwwrun --exec /var/lib/wwwrun/reauth.pl

reauth.pl has these two main lines in it

kinit -k -t /var/lib/wwwrun/devuser.keytab devuser
aklog

this worked great in Edgy, wwwrun would get it's tickets and tokens, 
tomcat could access the webapp stored in afs everyone was happy.  Now 
that I upgraded to Hardy and set things up the same the behavior 
changes.  Now wwwrun user gets kerberos tickets but root user gets the 
tokens.  I can't for the life of me get wwwrun user to get tokens.  I 
tried using k5start as well but got the same results, root got tokens 
while wwwrun got tickets.  I am not an afs guru but I think it has 
something to do with the PAG.  I tried using pagsh in the scripts to 
somehow get it to work but no results.  Wondering if anyone has 
suggestions of how to get around my obstacle. 

In a nutshell I need the apache/tomcat user to constantly have a ticket 
and token so it can access the webapp stored on afs.  I need the token 
to work across different console sessions so they don't have to worry 
about keeping a certain one up and running.  It works perfectly now.  I 
am assuming that some improvements to the afs client has change how 
things run now all I need to do is adjust my scripts but I have run out 
of ideas.  Hope someone out there understands my gibberish and has an 
idea for me.  I know the answer is probably staring me in the face I 
just can't see it.

Thanks,
Jared