1 here's the final procedure you should follow
2 (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):
5 1. create local user SERVICE in /etc/passwd:
7 (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))
9 2. create Kerberos principal:
11 kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"
14 3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:
16 kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"
17 chown SERVICE:wheel /etc/keytabs/SERVICE.HOST
18 chmod 440 /etc/keytabs/SERVICE.HOST
21 4. create OpenAFS user SERVICE.HOST
22 (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).
24 pts cu SERVICE.HOST.hcoop.net
27 5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:
30 pts ad SERVICE.HOST SERVICE
33 6. modify service's init script in /etc/init.d/ in the following way:
35 * Change shell at the top of script to "#!/usr/bin/pagsh.openafs"
37 * Change start-stop-daemon invocation in action 'start':
39 start-stop-daemon --start --pidfile $PIDFILE \
41 --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \
42 -K 300 -t -p $PIDFILE \
43 <The original start command>
46 * Or if the service does not use start-stop-daemon itself, you still use it in
47 action 'start' to run k5start on a line before <The original start command>
48 and later in 'stop' to close it:
52 start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
54 --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \
55 -f /etc/keytabs/SERVICE.`hostname`
60 start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid
61 rm -f /var/run/SERVICE/k5start-SERVICE.pid
64 7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").