On Fri, 26 Sep 2014, Jaap Winius wrote: > Quoting Benjamin Kaduk <[email protected]>: > > > Passing -t tells k5start to literally run 'aklog' (unless AKLOG is set in > > the environment), not /path/to/long-running-command, when it gets tickets. > > Well, that's all I want it to do, in addition to keeping a Kerberos ticket > alive. > > In the mean time, I've actually succeeded in doing what I want, but only for > root: > > KT:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h -t > > This creates Kerberos TGT, an AFS service ticket and -- thanks to the -t > option -- an AFS token. Now, how can I do this for a user other than root?
I think this is still in the "wrong" paradigm. (I mean, if it works for you, don't go changing it just because I said so.) The k5start mindset is to avoid having to have a separate periodic process that prepares tickets/tokens for some independent process to consume -- instead, the process consuming the tickets/tokens is a child process, wrapped by k5start. Thus, the k5start invocation should be placed at the same location as the invocation of the consumer of the tickets/tokens, and k5start will fork/exec the consumer process. That way the two processes are related to each other and it's much easier to get them in the same PAG/session keyring/etc. -Ben _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
