| 1 | here's the final procedure you should follow\r |
| 2 | (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):\r |
| 3 | \r |
| 4 | \r |
| 5 | 1. create local user SERVICE in /etc/passwd:\r |
| 6 | \r |
| 7 | (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))\r |
| 8 | \r |
| 9 | 2. create Kerberos principal:\r |
| 10 | {{{\r |
| 11 | kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"\r |
| 12 | }}}\r |
| 13 | \r |
| 14 | 3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:\r |
| 15 | {{{\r |
| 16 | kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"\r |
| 17 | chown SERVICE:wheel /etc/keytabs/SERVICE.HOST\r |
| 18 | chmod 440 /etc/keytabs/SERVICE.HOST\r |
| 19 | }}}\r |
| 20 | \r |
| 21 | 4. create OpenAFS user SERVICE.HOST\r |
| 22 | (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).\r |
| 23 | {{{\r |
| 24 | pts cu SERVICE.HOST.hcoop.net\r |
| 25 | }}}\r |
| 26 | \r |
| 27 | 5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:\r |
| 28 | {{{\r |
| 29 | pts cg SERVICE\r |
| 30 | pts ad SERVICE.HOST SERVICE\r |
| 31 | }}}\r |
| 32 | \r |
| 33 | 6. modify service's init script in /etc/init.d/ in the following way:\r |
| 34 | \r |
| 35 | * Change shell at the top of script to "#!/usr/bin/pagsh.openafs"\r |
| 36 | \r |
| 37 | * Change start-stop-daemon invocation in action 'start':\r |
| 38 | {{{\r |
| 39 | start-stop-daemon --start --pidfile $PIDFILE \\r |
| 40 | -c SERVICE:SERVICE \\r |
| 41 | --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \\r |
| 42 | -K 300 -t -p $PIDFILE \\r |
| 43 | <The original start command>\r |
| 44 | }}}\r |
| 45 | \r |
| 46 | * Or if the service does not use start-stop-daemon itself, you still use it in\r |
| 47 | action 'start' to run k5start on a line before <The original start command>\r |
| 48 | and later in 'stop' to close it:\r |
| 49 | \r |
| 50 | * (start):\r |
| 51 | {{{\r |
| 52 | start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \\r |
| 53 | -c SERVICE:SERVICE \\r |
| 54 | --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \\r |
| 55 | -f /etc/keytabs/SERVICE.`hostname`\r |
| 56 | sleep 2\r |
| 57 | }}}\r |
| 58 | * (stop):\r |
| 59 | {{{\r |
| 60 | start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid\r |
| 61 | rm -f /var/run/SERVICE/k5start-SERVICE.pid\r |
| 62 | }}}\r |
| 63 | \r |
| 64 | 7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").\r |