HCoop Git - hcoop/zz_old/ikiwiki/blob - PrincipalsForNonHumans.mdwn

   1 here's the final procedure you should follow
   2 (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):
   3
   4
   5 1. create local user SERVICE in /etc/passwd:
   6
   7      (usually already done by Debian postinst scripts in form of       "adduser --system SERVICE". (--system ensures that the       assigned ID is in range 100 < ID < 1000 .))
   8
   9 2. create Kerberos principal:
  10 {{{
  11 kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"
  12 }}}
  13
  14 3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:
  15 {{{
  16 kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"
  17 chown SERVICE:wheel /etc/keytabs/SERVICE.HOST
  18 chmod 440 /etc/keytabs/SERVICE.HOST
  19 }}}
  20
  21 4. create OpenAFS user SERVICE.HOST
  22  (You must make sure that the UID chosen in AFS is above 1000.      You can't use UIDs <1000 because those are reserved for local      system's IDs, and so such uids in AFS would mess up reported Unix ownership      of files).
  23 {{{
  24       pts cu SERVICE.HOST.hcoop.net
  25 }}}
  26
  27 5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:
  28 {{{
  29 pts cg SERVICE
  30 pts ad SERVICE.HOST SERVICE
  31 }}}
  32
  33 6. modify service's init script in /etc/init.d/ in the following way:
  34
  35      * Change shell at the top of script to  "#!/usr/bin/pagsh.openafs"
  36
  37      * Change start-stop-daemon invocation in action 'start':
  38 {{{
  39 start-stop-daemon --start --pidfile $PIDFILE \
  40  -c SERVICE:SERVICE \
  41  --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \
  42  -K 300 -t -p $PIDFILE \
  43  <The original start command>
  44 }}}
  45
  46       * Or if the service does not use start-stop-daemon itself, you still use it in
  47        action 'start' to run k5start on a line before <The original start command>
  48        and later in 'stop' to close it:
  49
  50           * (start):
  51 {{{
  52 start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
  53   -c SERVICE:SERVICE \
  54   --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \
  55   -f /etc/keytabs/SERVICE.`hostname`
  56 sleep 2
  57 }}}
  58           * (stop):
  59 {{{
  60 start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid
  61 rm -f /var/run/SERVICE/k5start-SERVICE.pid
  62 }}}
  63
  64 7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST"     if specific instance is important. (Mostly, you just add permissions to "SERVICE").