[OpenAFS] k5start and AFS tokens
Fri, 26 Sep 2014 19:27:28 +0200
How should k5start (kstart 4.1-2 on Debian wheezy) be configured for
/etc/inittab to maintain a Kerberos ticket *and* an AFS token for an
arbitrary server process not running as root?
The -t option seems to do nothing for me, while any command option
placed at the end of the statement only causes another problem that
makes init disable the process after respawning too quickly.
KQ:2345:respawn:/usr/bin/k5start -U -f /etc/zz.keytab -K 10 -l 24h \
-k /tmp/krb5cc_99 -o zz -t
A Kerberos TGT is created for the zz user (ID 99) along with an AFS
service ticket, but no AFS token appears. However, if I run 'sudo -u
zz aklog' afterwards, the AFS token is created without any problem.
~# k5start -U -f /etc/zz.keytab -k /tmp/krb5cc_99 -o zz -t
A manual test that yields the same result.
~# KINIT_PROG=/usr/bin/aklog ; k5start -U -f /etc/krb5-minidlna.keytab \
-k /tmp/krb5cc_107 -o minidlna -t
Again, same result (just in case k5start was attempting to start aklog
from the wrong location).
~# k5start -U -f /etc/zz.keytab -k /tmp/krb5cc_107 \
-o minidlna /root/ma
Here, -t is replaced by a command, /root/ma, a shell script with a
single line: '/usr/bin/sudo -u zz /usr/bin/aklog'. This actually
works, producing a Kerberos TGT, an AFS service ticket and an AFS
token. But, all attempts to use this use in /etc/inittab have resulted
in fast respawns followed by init disabling it.
Any idea what I'm doing wrong?