Wey Lai Yiu Fai,
Ney ho m'ho ma? ;-)
How do you re-authenticate? Do you use the example from:
/afs/transarc.com/public/afs-contrib/tools/reauth/
How do you arrange for your daemon to share AFS identity with
your re-authenticating daemon? Is this by sharing the same PAG
(preferred) or unix UID? If by UID, has another process with
the same UID unlogged?
IMHO, having a long ticket lifetime for an admin account is not good
unless you are always careful to "unlog" when you no longer need the ticket.
(Data structures used to store ticket details can rapidly accumulate
especially when created via daemon klogs.)
You will find AIX examples of re-authenticating daemons for sendmail
in "auth-sendmail" [1] and for InfoExplorer (on-line documentation for AIX),
and qdaemon (print spooler) in "afs_install" [2]. These use a variation of
the afs-contrib re-auth daemon which syslogs its authentication activity
and share AFS identity via a PAG.
Hope this helps.
--
choi g'in!
paul http://acm.org/~mpb/homepage.html
References:
[1] "auth-sendmail"
ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/auth-sendmail.tar.Z
[2] "afs_install"
ftp://ftp.transarc.com/pub/afs-contrib/tools/afs_install/afs_install.tar
Lai Yiu Fai <[EMAIL PROTECTED]> wrote:
>
>Hi,
>
>I'm running Solaris 2.5 with 3.4a sun4x_55 distribution and require to
>associate AFS tokens with running daemon. I have programs to klog at
>root to acquire the token and make 'root' uid with 'admin' token. However,
>the token will disappear before the tokens should expire. I set the
>admin's max lifetime to be 720 hours, it seems it will disappear after
>1 or 2 days, or even several hours. Does anybody come across the problem?
>How can it overcome? Does it help if I set the max. lifetime to be
>smaller value and re-authenticate more frequent?
>
>As the daemon will fork other process and setuid to user to run user's
>program, it has security concern if I associate the tokens with PAG
>instead of uid.
>
>Thanks!
>=======================================================================
>Lai Yiu Fai | Tel.: (852) 2358-6202
>Centre of Computing Services | Fax.: (852) 2358-0967
> & Telecommunications | E-mail: [EMAIL PROTECTED]
> |
>The Hong Kong University of | Clear Water Bay,
>Science & Technology | Kowloon, Hong Kong.
