After running "k5start -t -f keytab principal_for_httpd bash", run "id" and look at the groups entries. If you have a new PAG, then you'll see a group with a high GID (like 10 digits), but no name.
Here is a snippet of my "id" output uid=12345(jwedgeco) gid=500(domain users) groups=500(domain users),3455(linux-team),999 (all-users),1095560020 context=... In the above output, the 1095560020 is the temporary fake group gid associated with my PAG. The other way to see if it has a new PAG, is to run to kstart commands a few seconds apart in separate windows and compare the "tokens" command output to make sure that are different. Jason --------------------------------------------------------------------------- Jason Edgecombe | Linux Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-1943 [email protected] | http://engr.uncc.edu | Facebook --------------------------------------------------------------------------- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943. Thank you. On Tue, Jul 11, 2017 at 10:12 AM, Andreas Ladanyi <[email protected]> wrote: > Hi Jason, > > Hi Andreas, > > Getting systemd, apache, and kstart to play nice took a little bit of > work. I have included a sanitized copy of my Apache systemd unit file. Be > sure to modify the ExecStart line to have the correct keytab location and > principal name. > > I have NOT tested this in selinux enforcing mode, so beware. > > selinux is in permissive mode. > > > I think that kstart does create a new PAG, but I'm not certain. Be sure to > verify that by running bash via kstart, then running "id" to see if an > extra high-numbered numeric group appears. If no new PAG is created, then > you might play with the pagsh command. > > k5start -t -f keytab principal_for_httpd bash > result in a new bash shell with same user id and because the -t switch it > creates new afs service token. A new /tmp/krb5cc.... file is created. > > How could i verify if a new pag is created or not ? > > Thx for the systemd snipped. > > regards, > Andreas >
