[EMAIL PROTECTED] (Hope Goering) writes:
> We are using an application called Networker from Legato
> Systems to backup our UNIX machines. We would like to
> have all of our user data which is in AFS volumes be
> backed up using this software. Our problem is that
> the Networker routines run nightly as root and root is
> not an administrative AFS user. Some of the AFS
> directories do not have the necessary read permissions
> for Networker to back them up.
Hope,
This is a *very* common issue for new AFS sites: root doesn't have
implicit read access to all AFS files as it does for local files.
Many daemon programs need complete read access to the filesystem and
assume that being run by root is sufficient. One of our customers
worked with an AFS Product Support Rep on a wrapper script that
provides the appropriate authentication to long-running daemons. This
is a general solution that you can reuse for just about any daemon.
I've just now put this into the AFS-Contrib area, but will also
include it at the end of this message. The AFS-Contrib area is
available via AFS or anonymous FTP:
AFS: /afs/transarc.com/public/afs-contrib/
FTP: grand.central.org:/pub/afs-contrib/
You can find the wrapper script and documentation in the directory:
.../afs-contrib/tools/reauth-example/README
For those following the discussion of "pagsh" usage, you'll see an
interesting way to run "klog" within the new shell created by "pagsh"
using shell input redirection.
Joe Jackson,
AFS Product Support,
Transarc Corp.
______________________________________________________
IBM-BocaDT was looking for a way to authenticate some of the daemons
that run on their workstation/AFS clients. They have a secure
network, and they're not concerned about having a 'super-user'
password lying around on local disk. Also, they're willing to create
an 'afs_root' account that will have access to all AFS directories.
Bill Amaro and I came up with a solution that's simple and seems work
(minimal testing here).
The main script is shown immediately below. It starts a pagsh which
klogs then runs two other programs.
- First, the daemon to be run with a token is started in the
background. Since it is a child of the main script, it inherits the
PAG and the associated tokens of its parent.
- Second, a reauthentication program is started which will refresh the
token just before it expires. A sample script that performs the
reauthentication is included below, but you could also use the
"reauth" program available in the afs-contrib area
(../reauth/reauth.c).
The last program is a test daemon that can be used to verify that the
scripts are functioning properly. Note that the scripts intentionally
obtain a 10 minute token and refresh it only every 15 minutes. This
helps demonstrate that reauthd is working correctly. For production
use, the token lifetime should be large (25 hours) and reauthd should
renew tokens every 24.5 hours or so.
au-script:
# This script can be used to start various processes in a pagsh. Any
# process started here will have PAG-based tokens, therefore not
# susceptible to root users authenticating or unlogging.
pagsh << ==EOF==
echo -n "GROUPS: "
groups
echo -n "BEFORE KLOG "
/usr/afsws/bin/tokens
cat /tmp/.pwd | /usr/afsws/bin/klog afs_root -pipe -lifetime 00:10:00
echo -n "AFTER KLOG: "
/usr/afsws/bin/tokens
echo "STARTING DAEMON testopen"
./testopen &
sh reauthd # Or use "reauth 900 afs_root `cat /tmp/.pwd`"
==EOF==
reauthd:
# This script sleeps, then wakes up and re-klogs. The sleep time is
# intentionally set higher than the token lifetime for testing purposes.
echo REAUTHD started at `date`
while ( 1 )
sleep 900 # 15 minutes
cat /tmp/.pwd | /usr/afsws/bin/klog afs_root -pipe -lifetime 00:10:00
echo REAUTHD restored tokens
end
testopen.c:
/* testopen.c
* This is the test program that tries to open a file in AFS
*/
#include <stdio.h>
#define TOKEN_LIFE 20
FILE *fd, *log;
int i = 0;
char *testfile = "/afs/transarc.com/usr/hamel/private/test-file";
main() {
if ((log = fopen("/tmp/logfile", "w")) == NULL) {
printf("Can't open log file\n");
exit(-1);
}
printf("Opened log\n");
while (i < TOKEN_LIFE) {
i++;
if((fd = fopen(testfile, "w")) == 0)
fprintf(log, "%3d: couldn't open %s\n",
i, testfile);
else {
fclose(fd);
fprintf(log, "%3d min: Open/close OK for %s\n",
i, testfile);
}
fflush(log);
sleep(60);
}
}
