On 2011-01-17 at 16:17, Stephen Quinney ( [email protected] ) said:
I am having some problems with trying to use k5start to maintain a
kerberos credential cache for a long-running daemon. In particular,
it's maintaining the AFS tokens which is problematic.
I noticed on http://www.eyrie.org/~eagle/software/kstart/todo.html,
the following comment on the k5start todo list:
"Add a flag saying to start a command in a PAG and with tokens and
then keep running even if the command exits. This would be useful to
spawn a long-running daemon inside a PAG and then maintain its tokens,
even if k5start and the daemon then become detached and have to be
stopped separately."
I have a daemon which detaches but which needs to access AFS
directories. Running k5start in the background works great for
maintaining the kerberos cache (which is also needed for DB access)
it's just AFS which is causing problems. So this sounds like exactly
what I need to do, given that this isn't currently possible with
k5start can you suggest the best way to go about achieving the same
thing?
Just start the whole thing inside pagsh.
Then we use these options to k5start:
/usr/bin/k5start -b -K 10 -l 14d -p /var/run/$prog-k5start.pid -f $keytab -k
$ccname -t $princ2
Where $keytab is obvious, ccname = /tmp/krb5cc_k5start_wrapped-$prog
$princ2 = -U or $print@$realm (depending on k5start version).
That's taken almost directly from our k5start-wrapper script, which we
use to wrap init scripts under /etc/init.d/. You create
/etc/init.d/$prog-afs, set a couple of variables like $keytab, then source
k5start-wrapper.
--andy
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
