8f42d430 |
1 | #!/bin/bash |
cf08a29f |
2 | # Get an AFS token for the given user. |
3 | # |
4 | # This is used to deliver mail with the appropriate credentials. |
7a82fe65 |
5 | # |
6 | # Usage: |
7 | # |
8 | # get-token $USER |
9 | # - If user is root, call this script as $USER |
10 | # |
11 | # get-token $USER norecurse |
12 | # - Don't recursively call this script, even if user if root |
13 | |
14 | REALUSER=$(whoami) |
15 | USER=$1 |
16 | LOGFILE=/tmp/exim4/get-token-log.$USER |
17 | |
9ce616e3 |
18 | if test "$REALUSER" = "root"; then |
19 | if test -n "$2"; then |
7a82fe65 |
20 | echo "Error: running as root even after trying to change to $USER" \ |
21 | > $LOGFILE |
22 | exit 1 |
23 | fi |
24 | |
25 | # Decide whether the user exists: getent returns 0 error code if so |
26 | getent passwd "$USER" >/dev/null |
9ce616e3 |
27 | if test $? -ne 0; then |
7a82fe65 |
28 | echo "$USER is not a local user, so ignoring them" |
29 | exit 1 |
30 | else |
31 | exec su $USER -c "$0 $1 norecurse" |
32 | fi |
33 | fi |
cf08a29f |
34 | |
9ce616e3 |
35 | # Make sure USER exists, and resolve UIDs to a login name |
36 | USER=$(getent passwd "$USER" | cut -d':' -f 1) |
37 | |
38 | if test -z "$USER"; then |
39 | echo "$USER is not a local user, so ignoring them" |
40 | exit 1 |
41 | fi |
42 | |
c3a1fc9a |
43 | # fuse stdin and stderr |
44 | exec 2>&1 |
c3a1fc9a |
45 | |
46 | # all future output goes to this file |
7a82fe65 |
47 | exec >& $LOGFILE |
c3a1fc9a |
48 | |
7a82fe65 |
49 | # print name of user |
50 | echo "Running as user $REALUSER" |
c3a1fc9a |
51 | |
52 | # set the credentials cache |
7a82fe65 |
53 | export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email |
c3a1fc9a |
54 | |
55 | # eliminate any previous tokens |
8f42d430 |
56 | kdestroy |
57 | unlog |
0a3b3788 |
58 | KEYTAB=/etc/keytabs/user.daemon/$USER |
c3a1fc9a |
59 | |
60 | # display command-to-be-invoked as a sanity check |
0a3b3788 |
61 | echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET |
c3a1fc9a |
62 | |
0a3b3788 |
63 | kinit -kt $KEYTAB $USER/daemon@HCOOP.NET |
5092a970 |
64 | aklog |
5092a970 |
65 | |
ff958aaf |
66 | # list tokens, for the sake of debugging |
b612ef2b |
67 | #tokens |