[OpenAFS] k5start, AFS and long-running daemon

[Russ Allbery]

Harald Barth <haba@kth.se> writes:

>> I have a daemon which detaches but which needs to access AFS
>> directories. Running k5start in the background works great for
>> maintaining the kerberos cache (which is also needed for DB access)
>> it's just AFS which is causing problems.

> My guess is that k5start does not start your app in a seperate pag.
> Heimdal's kinit can be used as k5start and does give you the pag for
> AFS.

So far as I know, there's nothing in this area that Heimdal's kinit can do
that k5start cannot do, although I'd be very interested to hear if I'm
wrong.  According to the kinit man page, it has exactly the same behavior
as k5start in this case:

     If a command is given, kinit will set up new credentials caches, and
     AFS PAG, and then run the given command.  When it finishes the
     credentials will be removed.

The difficulty here is that starting the command in a PAG is combined with
exiting when the command exits, which doesn't work well for daemons.  For
daemons, you want to run k5start separately, which of course means that it
can't control the PAG for the daemon.  As pointed out by the other reply,
the solution for the time being is to start both k5start and the daemon
inside a shell script that uses pagsh to create a PAG that both will
share.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>