[OpenAFS] k5start and AFS tokens

Jaap Winius jwinius@umrk.nl
Fri, 26 Sep 2014 19:27:28 +0200

Hi folks,

How should k5start (kstart 4.1-2 on Debian wheezy) be configured for  
/etc/inittab to maintain a Kerberos ticket *and* an AFS token for an  
arbitrary server process not running as root?

The -t option seems to do nothing for me, while any command option  
placed at the end of the statement only causes another problem that  
makes init disable the process after respawning too quickly.

For example:

   KQ:2345:respawn:/usr/bin/k5start -U -f /etc/zz.keytab -K 10 -l 24h \
     -k /tmp/krb5cc_99 -o zz -t

A Kerberos TGT is created for the zz user (ID 99) along with an AFS  
service ticket, but no AFS token appears. However, if I run 'sudo -u  
zz aklog' afterwards, the AFS token is created without any problem.

   ~# k5start -U -f /etc/zz.keytab -k /tmp/krb5cc_99 -o zz -t

A manual test that yields the same result.

   ~# KINIT_PROG=/usr/bin/aklog ; k5start -U -f /etc/krb5-minidlna.keytab \
        -k /tmp/krb5cc_107 -o minidlna -t

Again, same result (just in case k5start was attempting to start aklog  
from the wrong location).

   ~# k5start -U -f /etc/zz.keytab -k /tmp/krb5cc_107 \
        -o minidlna /root/ma

Here, -t is replaced by a command, /root/ma, a shell script with a  
single line: '/usr/bin/sudo -u zz /usr/bin/aklog'. This actually  
works, producing a Kerberos TGT, an AFS service ticket and an AFS  
token. But, all attempts to use this use in /etc/inittab have resulted  
in fast respawns followed by init disabling it.

Any idea what I'm doing wrong?