[OpenAFS] upgrade caused script to stop working correctly
Jared Smith
sjaredj@rfpdepot.com
Fri, 27 Jun 2008 11:28:39 -0600
John Koyle wrote:
> Jared Smith wrote:
>
>> I am upgrading each of my developers testing environment and have
>> upgraded from Kubuntu Edgy to Kubuntu Hardy. In doing so the afs
>> client is behaving differently. On Edgy I ran a customized init
>> script (afstokengrabber.sh) during boot that called another script
>> (reauth.pl) that obtained a kerberos ticket and afs tokens for my
>> apache/tomcat user (wwwrun) and renewed them about every 4 hours. I
>> do this because the web application is stored in their home dir which
>> is on AFS. This all worked fine. Afstokengrabber.sh runs as root and
>> has this line that calls reauth.pl
>>
>> start-stop-daemon --start -c wwwrun --exec /var/lib/wwwrun/reauth.pl
>>
>> reauth.pl has these two main lines in it
>>
>> kinit -k -t /var/lib/wwwrun/devuser.keytab devuser
>> aklog
>>
>> this worked great in Edgy, wwwrun would get it's tickets and tokens,
>> tomcat could access the webapp stored in afs everyone was happy. Now
>> that I upgraded to Hardy and set things up the same the behavior
>> changes. Now wwwrun user gets kerberos tickets but root user gets the
>> tokens. I can't for the life of me get wwwrun user to get tokens. I
>> tried using k5start as well but got the same results, root got tokens
>> while wwwrun got tickets. I am not an afs guru but I think it has
>> something to do with the PAG. I tried using pagsh in the scripts to
>> somehow get it to work but no results. Wondering if anyone has
>> suggestions of how to get around my obstacle.
>> In a nutshell I need the apache/tomcat user to constantly have a
>> ticket and token so it can access the webapp stored on afs. I need
>> the token to work across different console sessions so they don't have
>> to worry about keeping a certain one up and running. It works
>> perfectly now. I am assuming that some improvements to the afs client
>> has change how things run now all I need to do is adjust my scripts
>> but I have run out of ideas. Hope someone out there understands my
>> gibberish and has an idea for me. I know the answer is probably
>> staring me in the face I just can't see it.
>>
>
> I had a similar issue recently. We solved it by switching to Russ
> Albery's (thanks Russ!) pam_krb5 and pam-afs-session modules from here:
> http://www.eyrie.org/~eagle/software/
>
> and then setting up the common-session pam stack as follows so that
> PAG's are not created for sessions on that host.
>
> session optional pam_afs_session.so nopag retain_after_close
>
> HTH,
> John
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
I kept the pam_krb5 and pam-afs-session that came with Hardy and made
the change to common-session and it worked!! Now I need someone who can
re-attach all the hair I pulled out last night trying to figure it out
on my own :)
Thanks John