[OpenAFS] k5start and AFS tokens

Jaap Winius jwinius@umrk.nl
Sun, 28 Sep 2014 04:44:07 +0200

Quoting Benjamin Kaduk <kaduk@MIT.EDU>:

> On Fri, 26 Sep 2014, Jaap Winius wrote:
>> Are you suggesting that I alter the /etc/init.d/ script that starts
>> up the daemon in question, ...
> That's the general idea, yes. ...

Okay, I figured it out. I altered /etc/init.d/zz by adding the  
following line to the do_start function just before the zz daemon is  
started up:

   start-stop-daemon --start --pidfile /run/zz/k5start-zz.pid \
     --chuid $USER:$GROUP --exec /usr/bin/k5start -- \
     -b -p /run/zz/k5start-zz.pid \
     -K 10 -l 24h -k /tmp/krb5cc_107 -o zz \
     -L -t -U -f /etc/krb5-zz.keytab

The trick was to add the --chuid option so that k5start is run with  
the UID/GID of the zz daemon; otherwise k5start will run aklog as root  
and the desired AFS token will not be created (Dirk was correct). In  
addition, I created the /run/zz/ directory, owned by the zz user, so  
that k5start would be allowed to save the PID file there.

And in case anyone might be wondering, this is what I added to the  
do_stop function in /etc/init.d/zz after the zz daemon is stopped:

   /usr/bin/sudo -u zz /usr/bin/unlog
   /usr/bin/sudo -u zz /usr/bin/kdestroy
   start-stop-daemon --stop --pidfile /run/zz/k5start-zz.pid