--- /dev/null
+here's the final procedure you should follow\r
+(for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):\r
+\r
+\r
+1. create local user SERVICE in /etc/passwd:\r
+\r
+ (usually already done by Debian postinst scripts in form of "adduser --system SERVICE". (--system ensures that the assigned ID is in range 100 < ID < 1000 .))\r
+\r
+2. create Kerberos principal:\r
+{{{\r
+kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"\r
+}}}\r
+\r
+3. export user's keys to /etc/keytabs/SERVICE.HOST and chmod the file properly:\r
+{{{\r
+kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"\r
+chown SERVICE:wheel /etc/keytabs/SERVICE.HOST\r
+chmod 440 /etc/keytabs/SERVICE.HOST\r
+}}}\r
+\r
+4. create OpenAFS user SERVICE.HOST\r
+ (You must make sure that the UID chosen in AFS is above 1000. You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files).\r
+{{{\r
+ pts cu SERVICE.HOST.hcoop.net\r
+}}}\r
+\r
+5. create OpenAFS group "SERVICE" if it doesn't exist, and add SERVICE.HOST to it:\r
+{{{\r
+pts cg SERVICE\r
+pts ad SERVICE.HOST SERVICE\r
+}}}\r
+\r
+6. modify service's init script in /etc/init.d/ in the following way:\r
+\r
+ * Change shell at the top of script to "#!/usr/bin/pagsh.openafs"\r
+\r
+ * Change start-stop-daemon invocation in action 'start':\r
+{{{\r
+start-stop-daemon --start --pidfile $PIDFILE \\r
+ -c SERVICE:SERVICE \\r
+ --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.`hostname` \\r
+ -K 300 -t -p $PIDFILE \\r
+ <The original start command>\r
+}}}\r
+\r
+ * Or if the service does not use start-stop-daemon itself, you still use it in\r
+ action 'start' to run k5start on a line before <The original start command>\r
+ and later in 'stop' to close it:\r
+\r
+ * (start):\r
+{{{\r
+start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \\r
+ -c SERVICE:SERVICE \\r
+ --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \\r
+ -f /etc/keytabs/SERVICE.`hostname`\r
+sleep 2\r
+}}}\r
+ * (stop):\r
+{{{\r
+start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid\r
+rm -f /var/run/SERVICE/k5start-SERVICE.pid\r
+}}}\r
+\r
+7. You give permissions in AFS space to group "SERVICE", or to user "SERVICE.HOST" if specific instance is important. (Mostly, you just add permissions to "SERVICE").\r