[hcoop/zz_old/ikiwiki] / PrincipalsForNonHumans.mdwn

here's the final procedure you should follow\r
(for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):\r
\r
\r
1. create local user SERVICE in /etc/passwd:\r
\r
     (usually already done by Debian postinst scripts in form of       "adduser --system SERVICE". (--system ensures that the       assigned ID is in range 100 < ID < 1000 .))\r
\r
2. create Kerberos principal:\r
{{{\r
kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"\r
}}}\r
\r
3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:\r
{{{\r
kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"\r
chown SERVICE:wheel /etc/keytabs/SERVICE.HOST\r
chmod 440 /etc/keytabs/SERVICE.HOST\r
}}}\r
\r
4. create OpenAFS user SERVICE.HOST\r
 (You must make sure that the UID chosen in AFS is above 1000.      You can't use UIDs <1000 because those are reserved for local      system's IDs, and so such uids in AFS would mess up reported Unix ownership      of files).\r
{{{\r
      pts cu SERVICE.HOST.hcoop.net\r
}}}\r
\r
5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:\r
{{{\r
pts cg SERVICE\r
pts ad SERVICE.HOST SERVICE\r
}}}\r
\r
6. modify service's init script in /etc/init.d/ in the following way:\r
\r
     * Change shell at the top of script to  "#!/usr/bin/pagsh.openafs"\r
\r
     * Change start-stop-daemon invocation in action 'start':\r
{{{\r
start-stop-daemon --start --pidfile $PIDFILE \\r
 -c SERVICE:SERVICE \\r
 --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \\r
 -K 300 -t -p $PIDFILE \\r
 <The original start command>\r
}}}\r
\r
      * Or if the service does not use start-stop-daemon itself, you still use it in\r
       action 'start' to run k5start on a line before <The original start command>\r
       and later in 'stop' to close it:\r
\r
          * (start):\r
{{{\r
start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \\r
  -c SERVICE:SERVICE \\r
  --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \\r
  -f /etc/keytabs/SERVICE.`hostname`\r
sleep 2\r
}}}\r
          * (stop):\r
{{{\r
start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid\r
rm -f /var/run/SERVICE/k5start-SERVICE.pid\r
}}}\r
\r
7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST"     if specific instance is important. (Mostly, you just add permissions to "SERVICE").\r
Commit	Line	Data
ee25310d	1	here's the final procedure you should follow\r
	2	(for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):\r
	3	\r
	4	\r
	5	1. create local user SERVICE in /etc/passwd:\r
	6	\r
	7	(usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))\r
	8	\r
	9	2. create Kerberos principal:\r
	10	{{{\r
	11	kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"\r
	12	}}}\r
	13	\r
	14	3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:\r
	15	{{{\r
	16	kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"\r
	17	chown SERVICE:wheel /etc/keytabs/SERVICE.HOST\r
	18	chmod 440 /etc/keytabs/SERVICE.HOST\r
	19	}}}\r
	20	\r
	21	4. create OpenAFS user SERVICE.HOST\r
	22	(You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).\r
	23	{{{\r
	24	pts cu SERVICE.HOST.hcoop.net\r
	25	}}}\r
	26	\r
	27	5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:\r
	28	{{{\r
	29	pts cg SERVICE\r
	30	pts ad SERVICE.HOST SERVICE\r
	31	}}}\r
	32	\r
	33	6. modify service's init script in /etc/init.d/ in the following way:\r
	34	\r
	35	* Change shell at the top of script to "#!/usr/bin/pagsh.openafs"\r
	36	\r
	37	* Change start-stop-daemon invocation in action 'start':\r
	38	{{{\r
	39	start-stop-daemon --start --pidfile $PIDFILE \\r
	40	-c SERVICE:SERVICE \\r
	41	--exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \\r
	42	-K 300 -t -p $PIDFILE \\r
	43	<The original start command>\r
	44	}}}\r
	45	\r
	46	* Or if the service does not use start-stop-daemon itself, you still use it in\r
	47	action 'start' to run k5start on a line before <The original start command>\r
	48	and later in 'stop' to close it:\r
	49	\r
	50	* (start):\r
	51	{{{\r
	52	start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \\r
	53	-c SERVICE:SERVICE \\r
	54	--exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \\r
	55	-f /etc/keytabs/SERVICE.`hostname`\r
	56	sleep 2\r
	57	}}}\r
	58	* (stop):\r
	59	{{{\r
	60	start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid\r
	61	rm -f /var/run/SERVICE/k5start-SERVICE.pid\r
	62	}}}\r
	63	\r
	64	7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").\r