Fwd: [OpenAFS] "reauth" code?

Gary Gatling gsgatlin@ncsu.edu
Fri, 31 Aug 2012 13:56:41 -0400 

--047d7b2ee6e7a2488c04c8938396
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Aug 31, 2012 at 12:27 PM, Russ Allbery <rra@stanford.edu> wrote:
>
>
> Yup, that's what we do here for cron jobs (primarily for web applications,
> not for compute tasks).  We have a cron service that creates a /cron
> principal for the user and runs jobs with tickets and tokens for that
> principal.  The user can then add ACLs in AFS on appropriate directories.


Ok, I have a better idea of the problem... Perhaps this can help with the
suggested solution?

We have a cron server that runs two jobs with a certain account.  I have
discovered its name and its password and have successfully become that
account with "klog" in a pagsh. The account has cell tokens.

All that job #1 does is check membership of certain pts groups in our cell.
It stores this in a database.

The other job, #2 - either uses pts adduser or pts removeuser to modify
certain pts groups to control access when new lockers are created by other
scripts programatically. As far as the other scripts...


The process is started from a web form, and then at the step when volumes
are needing to be created, scripts are run by administrators with cell
admin tokens after an initial sanity check. The cron job needs to modify
pts groups because students/accounts can add/drop classes and some already
created volumes in the path to the final destination volume will need to
have their access controls modified. So we use pts groups for that.

This was set up by folks who don't work here anymore, hence using "reauth."

The cron servers are on Solaris 8 and RHEL 4 so they must die and be RHEL 6
servers. :)

So will I still need to create a keytab for this account? Is there a good
faq on how to do that step if I know the account name and password?

Thanks so much!

--047d7b2ee6e7a2488c04c8938396
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><br><div class=3D"gmail_quote">On Fri, Aug 31, 2012 at 12:27 PM, Russ A=
llbery <span dir=3D"ltr">&lt;<a href=3D"mailto:rra@stanford.edu" target=3D"=
_blank">rra@stanford.edu</a>&gt;</span> wrote:<blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
">
<div class=3D"im">
<br>
</div>Yup, that&#39;s what we do here for cron jobs (primarily for web appl=
ications,<br>
not for compute tasks). =A0We have a cron service that creates a /cron<br>
principal for the user and runs jobs with tickets and tokens for that<br>
principal. =A0The user can then add ACLs in AFS on appropriate directories.=
</blockquote><div><br></div><div>Ok, I have a better idea of the problem...=
=A0Perhaps=A0this can help with the suggested solution?</div><div><br></div=
>
<div>We have a cron server that runs two jobs with a=A0certain=A0account. =
=A0I have discovered its name and its password and have successfully become=
 that account with &quot;klog&quot; in a pagsh. The account has cell tokens=
.</div>
<div><br></div><div>All that job #1 does is check membership of=A0certain=
=A0pts groups in our cell. It stores this in a database.</div><div><br></di=
v><div>The other job, #2 - either uses pts adduser or pts removeuser to mod=
ify certain pts groups to control access when new lockers are created by ot=
her scripts programatically. As far as the other scripts...</div>
<div><br></div><div><br></div><div>The process is started from a web form, =
and then at the step when volumes are needing to be created, scripts are ru=
n by administrators with cell admin tokens after an=A0initial=A0sanity chec=
k. The cron job needs to modify pts groups because students/accounts can ad=
d/drop classes and some already created volumes in the path to the final de=
stination volume will need to have their access controls modified. So we us=
e pts groups for that.</div>
<div><br></div><div>This was set up by folks who don&#39;t work here anymor=
e, hence using &quot;reauth.&quot;</div><div><br></div><div>The cron server=
s are on Solaris 8 and RHEL 4 so they must die and be RHEL 6 servers. :)=A0=
</div>
<div><br></div><div>So will I still need to create a keytab for this accoun=
t? Is there a good faq on how to do that step if I know the account name an=
d password?</div><div><br></div><div>Thanks so much!</div></div>

--047d7b2ee6e7a2488c04c8938396--