[OpenAFS] k5start and AFS tokens
Sun, 28 Sep 2014 04:44:07 +0200
Quoting Benjamin Kaduk <kaduk@MIT.EDU>:
> On Fri, 26 Sep 2014, Jaap Winius wrote:
>> Are you suggesting that I alter the /etc/init.d/ script that starts
>> up the daemon in question, ...
> That's the general idea, yes. ...
Okay, I figured it out. I altered /etc/init.d/zz by adding the
following line to the do_start function just before the zz daemon is
start-stop-daemon --start --pidfile /run/zz/k5start-zz.pid \
--chuid $USER:$GROUP --exec /usr/bin/k5start -- \
-b -p /run/zz/k5start-zz.pid \
-K 10 -l 24h -k /tmp/krb5cc_107 -o zz \
-L -t -U -f /etc/krb5-zz.keytab
The trick was to add the --chuid option so that k5start is run with
the UID/GID of the zz daemon; otherwise k5start will run aklog as root
and the desired AFS token will not be created (Dirk was correct). In
addition, I created the /run/zz/ directory, owned by the zz user, so
that k5start would be allowed to save the PID file there.
And in case anyone might be wondering, this is what I added to the
do_stop function in /etc/init.d/zz after the zz daemon is stopped:
/usr/bin/sudo -u zz /usr/bin/unlog
/usr/bin/sudo -u zz /usr/bin/kdestroy
start-stop-daemon --stop --pidfile /run/zz/k5start-zz.pid