[32627] in Kerberos
Re: Question on k5start daemon-related example in k5start manual
daemon@ATHENA.MIT.EDU (Holger Rauch)
Thu Sep 2 08:31:09 2010
Date: Thu, 2 Sep 2010 14:30:55 +0200
From: Holger Rauch <holger.rauch@empic.de>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20100902123055.GA4413@heitec.de>
MIME-Version: 1.0
In-Reply-To: <87k4n6o93k.fsf@windlord.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1867626732=="
Errors-To: kerberos-bounces@mit.edu
--===============1867626732==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP"
Content-Disposition: inline
--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Russ,
thanks a lot for your detailed explanation. What I forgot to mention:
- I initially log in to the box (NFSv4 client) via ssh, which causes
the following
=20
*) Kerberos tickets are obtained
*) the home dir is mounted with automount via NFSv4
=20
- From that interactive shell I would like to use k5start as a wrapper
so that the process(es) started via their init script can still write
to the NFSv4 file system and don't get "Permission denied" when the
tickets expire. That means, I'm dependendent on a main functionality
of k5start (if I get it right): the ticket lifetime is constantly
renewed at regular intervals, so that the renewed ticket actually never
reaches the maximum ticket lifetime. Otherwise, I would have to
restart the server process manually each and every day and this
would be sort of awkward...
Is it possible run daemon-like processes indefinitely (provided
there's no core dump etc.) using k5start? (Sorry for explictly asking
this, but it's not clear to me from the examples I've come accross on
your home page).
Do I have to take any additional measures when a daemon accesses a
NFSv4 mounted filesystem via automount (That is, do I have to add
additional principals to my keytab file)? (Currently, only the
corresponding user principal is in there).
Thanks in advance for any advice.
Kind regards,
Holger
=20
--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx/mP8ACgkQbiVtWpZdKQJE0wCfdvURLqNiPQdbY8P1IHUi16VZ
lKQAoItybLz1YcdOS7UXDeork0xEMj99
=6loJ
-----END PGP SIGNATURE-----
--jRHKVT23PllUwdXP--
--===============1867626732==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1867626732==--
