[OpenAFS] k5start and AFS tokens

[Benjamin Kaduk]

On Fri, 26 Sep 2014, Jaap Winius wrote:

> Quoting Benjamin Kaduk <kaduk@MIT.EDU>:
>
> > Passing -t tells k5start to literally run 'aklog' (unless AKLOG is set in
> > the environment), not /path/to/long-running-command, when it gets tickets.
>
> Well, that's all I want it to do, in addition to keeping a Kerberos ticket
> alive.
>
> In the mean time, I've actually succeeded in doing what I want, but only for
> root:
>
>  KT:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h -t
>
> This creates Kerberos TGT, an AFS service ticket and -- thanks to the -t
> option -- an AFS token. Now, how can I do this for a user other than root?

I think this is still in the "wrong" paradigm.  (I mean, if it works for
you, don't go changing it just because I said so.)

The k5start mindset is to avoid having to have a separate periodic process
that prepares tickets/tokens for some independent process to consume --
instead, the process consuming the tickets/tokens is a child process,
wrapped by k5start.  Thus, the k5start invocation should be placed at the
same location as the invocation of the consumer of the tickets/tokens, and
k5start will fork/exec the consumer process.  That way the two processes
are related to each other and it's much easier to get them in the same
PAG/session keyring/etc.


-Ben