This section talks about creating PTS entries for system services. (Creation of user entries is done automatically by create-user script and no manual work is needed).
We follow the convention that Kerberos users for daemons are named $DAEMON, where $DAEMON is the name of the daemon (for instance, the name of system user it runs as, or the name of its /etc/init.d file).
To add the Kerberos principal for a daemon, run this in kadmin:
addprinc -randkey -policy service $DAEMON
AFS users exist separately from Kerberos principals. To add the AFS user for a daemon to which you want to assign UID $UID, run:
pts createuser $DAEMON
. It is very good if the UID maches the Unix ID, so that there are no confusions in ls or any other output with user IDs.
"keytab" files smooth the way to running daemons that run with AFS privileges. An access-protected local file contains a user's credentials, and daemons read these files on starting up in order to authenticate.
To create a keytab for a daemon, run this in kadmin:
ktadd -k /etc/keytabs/$DAEMON $DAEMON chown $DAEMON:wheel /etc/keytabs/$DAEMON chmod 440 /etc/keytabs/$DAEMON
In the example above, only one key (of 4 or 5 created) is exported for a user. Sometimes it might be desirable to only export a specific key into a keytab file, but we generally just omit the -e KEY_TYPE parameter and export all keys to the keytab file.
You can view keys stored in a keytab by doing sudo klist -k /etc/keytabs/KEYTAB_FILE.
To make daemons properly kinit/aklog as the user you created for them, use k5start command. Many examples of how to use it are already found in our /etc/init.d/ scripts. Important options include -U (which kinits as the first principal found in the keytab file, without the need to explicitly name a principal), -f (which specifies the keytab file to kinit from), and -K MINUTES (which re-news the ticket after MINUTES, so that daemons can run for long periods of time).