Fix all domtool scripts for modern Debian and HCoop practices

* There is no longer any local `domtool' group, use `nogroup' instead and
  chmod files user readable only
* The init scripts assumed `/usr/local/[s]bin' were in `$PATH', which
  is not true on a default Debian install. Rather than require
  customization of system defaults, just use long paths. It would be
  nice if the Makefile supported relocatable installs, but I also want
  a pony for xmas.
* `domtool-admin-sudo' never worked properly. It seems to rely on the
  mistaken assumption that starting a `pagsh' gives you a new
  PAG... when `pagsh' has the unintuitive behavior of adopting the
  current PAG instead of creating a new one if one should
  exist. Things appeared to work since there was always a local
  domtool user, and some interaction between the init scripts
  acquiring tokens outside of a PAG and sudo led to use of the uid
  ticket cache. The solution is just to use `k5start' instead of
  `kinit && aklog'

diff --git a/scripts/domtool-addcert b/scripts/domtool-addcert
index 8d9e295..6e58197 100755 (executable)
--- a/scripts/domtool-addcert
+++ b/scripts/domtool-addcert
@@ -15,7 +15,7 @@ CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$USER.pem
 
 mkdir $KEYDIR || echo Key directory already exists.
 openssl genrsa -out $KEYFILE
 
 mkdir $KEYDIR || echo Key directory already exists.
 openssl genrsa -out $KEYFILE

-chown -R domtool.domtool $KEYDIR
+chown -R domtool.nogroup $KEYDIR

 fs sa $KEYDIR $USER read || echo This must be a server principal.
 echo "." >$KEYIN
 echo "." >>$KEYIN
 fs sa $KEYDIR $USER read || echo This must be a server principal.
 echo "." >$KEYIN
 echo "." >>$KEYIN


@@ -32,4 +32,4 @@ cat $NEWREQ $KEYFILE >$NEW
 rm $NEWREQ
 openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW
 rm $NEW
 rm $NEWREQ
 openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW
 rm $NEW

-chown domtool.domtool $CERTFILE
+chown domtool.nogroup $CERTFILE

diff --git a/scripts/domtool-admin-sudo b/scripts/domtool-admin-sudo
index 13eaf19..bd4341f 100755 (executable)
--- a/scripts/domtool-admin-sudo
+++ b/scripts/domtool-admin-sudo
@@ -1,5 +1,3 @@
 #!/usr/bin/pagsh.openafs
 
 #!/usr/bin/pagsh.openafs
 

-kinit -k -t /etc/keytabs/domtool domtool
-aklog
-domtool-admin $* >/dev/null 2>/dev/null
+k5start -qtUf /etc/keytabs/domtool domtool-admin $* >/dev/null 2>/dev/null

diff --git a/scripts/domtool-server b/scripts/domtool-server
index 6078c60..d86f5ac 100755 (executable)
--- a/scripts/domtool-server
+++ b/scripts/domtool-server
@@ -1,31 +1,44 @@
 #!/usr/bin/pagsh.openafs
 #!/usr/bin/pagsh.openafs

+# -*- sh-mode -*-

 
 # This script should go in /etc/init.d/ on Debian Linux systems
 # running Domtool dispatchers.
 
 
 # This script should go in /etc/init.d/ on Debian Linux systems
 # running Domtool dispatchers.
 

+# This script is NOT lsb compliant by a long shot... need to fix that
+
+### BEGIN INIT INFO
+# Provides:             domtool-server
+# Required-Start:       $remote_fs $network $time openafs-client nscd
+# Required-Stop:        $remote_fs $network openafs-client nscd
+# Default-Start:        2 3 4 5
+# Default-Stop:         0 1 6
+# Short-Description:    Domtool Dispatcher
+# Description:          Launches the domtool server
+### END INIT INFO
+

 SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
 PIDFILE="/var/run/domtool/k5start-server.pid"
 
 SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
 PIDFILE="/var/run/domtool/k5start-server.pid"
 

-set -e
+. /lib/lsb/init-functions

 
 case $1 in
   start)
 
 case $1 in
   start)

-       echo -n "Starting Domtool dispatcher: domtool-server"
+       log_daemon_msg "Starting Domtool dispatcher" "domtool-server"

        if sudo -u domtool domtool-admin-sudo ping; then
                echo "...already running."
        else
                PIDDIR=$(dirname "$PIDFILE")
                if test ! -d "$PIDDIR"; then
        if sudo -u domtool domtool-admin-sudo ping; then
                echo "...already running."
        else
                PIDDIR=$(dirname "$PIDFILE")
                if test ! -d "$PIDDIR"; then

-                       mkdir -m 0755 $PIDDIR
-                       chown domtool:domtool $PIDDIR
+                       mkdir -m 0750 $PIDDIR
+                       chown domtool:nogroup $PIDDIR

                fi
 
                start-stop-daemon --start --pidfile $PIDFILE \
                fi
 
                start-stop-daemon --start --pidfile $PIDFILE \

-                       -c domtool:domtool \
+                       -c domtool:nogroup \

                        --exec /usr/bin/k5start -- -U -b \
                        -f /etc/keytabs/domtool \
                        -K 300 -t -p $PIDFILE \
                        --exec /usr/bin/k5start -- -U -b \
                        -f /etc/keytabs/domtool \
                        -K 300 -t -p $PIDFILE \

-                       domtool-server-logged
+                       /usr/local/bin/domtool-server-logged

                echo "."
        fi
        ;;
                echo "."
        fi
        ;;

diff --git a/scripts/domtool-server-logged b/scripts/domtool-server-logged
index 9f8f285..a529acf 100755 (executable)
--- a/scripts/domtool-server-logged
+++ b/scripts/domtool-server-logged
@@ -1 +1 @@
-domtool-server >>/var/log/domtool.log 2>>/var/log/domtool.log
+/usr/local/sbin/domtool-server >>/var/log/domtool.log 2>>/var/log/domtool.log

diff --git a/scripts/domtool-slave b/scripts/domtool-slave
index 5392bea..dabbb70 100755 (executable)
--- a/scripts/domtool-slave
+++ b/scripts/domtool-slave
@@ -1,12 +1,26 @@
 #!/usr/bin/pagsh.openafs
 #!/usr/bin/pagsh.openafs

+# -*- sh -*-

 
 # This script should go in /etc/init.d/ on Debian Linux systems
 # running Domtool slaves.
 
 
 # This script should go in /etc/init.d/ on Debian Linux systems
 # running Domtool slaves.
 

+# This script is NOT lsb compliant by a long shot... need to fix that
+# We need nscd running to lookup afs users for whatever reason
+
+### BEGIN INIT INFO
+# Provides:             domtool-slave
+# Required-Start:       $remote_fs $network $time openafs-client nscd
+# Required-Stop:        $remote_fs $network openafs-client nscd
+# Default-Start:        2 3 4 5
+# Default-Stop:         0 1 6
+# Short-Description:    Domtool Slave
+# Description:          Launches the domtool slave
+### END INIT INFO
+

 SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
 PIDFILE="/var/run/domtool/k5start-slave.pid"
 
 SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
 PIDFILE="/var/run/domtool/k5start-slave.pid"
 

-set -e
+. /lib/lsb/init-functions

 
 case $1 in
   start)
 
 case $1 in
   start)


@@ -16,16 +30,16 @@ case $1 in
        else
                PIDDIR=$(dirname "$PIDFILE")
                if test ! -d "$PIDDIR"; then
        else
                PIDDIR=$(dirname "$PIDFILE")
                if test ! -d "$PIDDIR"; then

-                       mkdir -m 0755 $PIDDIR
-                       chown domtool:domtool $PIDDIR
+                       mkdir -m 0750 $PIDDIR
+                       chown domtool:nogroup $PIDDIR

                fi
 
                start-stop-daemon --start --pidfile $PIDFILE \
                fi
 
                start-stop-daemon --start --pidfile $PIDFILE \

-                       -c domtool:domtool \
+                       -c domtool:nogroup \

                        --exec /usr/bin/k5start -- -U -b \
                        -f /etc/keytabs/domtool \
                        -K 300 -t -p $PIDFILE \
                        --exec /usr/bin/k5start -- -U -b \
                        -f /etc/keytabs/domtool \
                        -K 300 -t -p $PIDFILE \

-                       domtool-slave-logged
+                       /usr/local/bin/domtool-slave-logged

                echo "."
        fi
        ;;
                echo "."
        fi
        ;;

diff --git a/scripts/domtool-slave-logged b/scripts/domtool-slave-logged
index c892bdf..674f3a4 100755 (executable)
--- a/scripts/domtool-slave-logged
+++ b/scripts/domtool-slave-logged
@@ -1 +1 @@
-domtool-slave >>/var/log/domtool.log 2>>/var/log/domtool.log
+/usr/local/sbin/domtool-slave >>/var/log/domtool.log 2>>/var/log/domtool.log