The issue of printing in AFS is almost always the same: what do you
send to the printing daemon? Do you send it the bytes you want to
print or do you just send the file name containing those bytes? If
you send it a file name, you have to be sure that the printing daemon
can read it. Most daemons run with no AFS tokens, so can't access
directories unless they are open for system:anyuser read access.
Often, printing commands (lpr, lp, enq) have an option that allows
for both modes of operation, though the default behavior varies from
system to system. If you're interested in making your daemons
authenticate to AFS, check out the example scripts in AFS-Contrib:
/afs/grand.central.org/pub/afs-contrib/tools/reauth-example
Another common problem is setuid printing commands. For instance, the
"enq" command runs as root, daemon, or some such user. If you aren't
using the AFS login and simply issue "klog" to get tokens, those
tokens are associated with your uid. When setuid programs run, they
lose access to your token and often can't read the file name given as
an argument. The solution in this case is to use "pagsh" before
"klog" so that your tokens are transferred to subprocesses
automatically by group membership. This works even if the uid
changes, as for setuid programs.
Joe Jackson,
File Systems Product Support,
Transarc Corp.
