# Get an AFS token for the given user.
#
# This is used to deliver mail with the appropriate credentials.
+#
+# Usage:
+#
+# get-token $USER
+# - If user is root, call this script as $USER
+#
+# get-token $USER norecurse
+# - Don't recursively call this script, even if user if root
+REALUSER=$(whoami)
USER=$1
-export KRB5CCNAME=FILE:/tmp/krb5cc_$USER.email
+LOGFILE=/tmp/exim4/weird-error.log
+
+if test "$REALUSER" = "root"; then
+ if test "$2" = "norecurse"; then
+ echo "Error: running as root even after trying to change to $USER" \
+ >> $LOGFILE
+ exit 1
+ fi
+
+ # Decide whether the user exists: getent returns 0 error code if so
+ getent passwd "$USER" >/dev/null
+ if test $? -ne 0; then
+ echo "$USER is not a local user, so ignoring them" \
+ >> $LOGFILE
+ exit 1
+ else
+ USER=$(getent passwd "$1" | cut -d':' -f 1)
+ exec su $USER -c "$0 $1 norecurse"
+ fi
+fi
+
+# Make sure USER exists, and resolve UIDs to a login name
+USER=$(getent passwd "$USER" | cut -d':' -f 1)
+LOGFILE=/tmp/exim4/get-token-log.$USER
+
+if test -z "$USER"; then
+ echo "$USER is not a local user, so ignoring them" \
+ >> /tmp/exim4/weird-error.log
+ exit 1
+fi
+
+# fuse stdin and stderr
+exec 2>&1
+
+# all future output goes to this file
+exec >& $LOGFILE
+
+# print name of user
+echo "Running as user $REALUSER"
+
+# debugging output
+if test "$2" = "debug"; then
+ shift; shift
+ echo "Debugging output: $*"
+fi
+
+# set the credentials cache
+export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email
+
+# eliminate any previous tokens
kdestroy
unlog
-KEYTAB=/etc/keytabs/mailfilter/$USER
-echo kinit -kt $KEYTAB $USER/mailfilter@HCOOP.NET > /tmp/exim-get-token-log
-kinit -kt $KEYTAB $USER/mailfilter@HCOOP.NET
+KEYTAB=/etc/keytabs/user.daemon/$USER
+
+# display command-to-be-invoked as a sanity check
+echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET
+
+kinit -kt $KEYTAB $USER/daemon@HCOOP.NET
aklog
+# list tokens, for the sake of debugging
+#tokens