here's the final procedure you should follow (for installing service "SERVICE" (mysql) on host "HOST" (deleuze)):
- 1) create local user SERVICE in /etc/passwd:
- (usually already done by Debian postinst scripts in form of
- "adduser --system SERVICE". (--system ensures that the
assigned ID is in range 100 < ID < 1000 .))
- "adduser --system SERVICE". (--system ensures that the
- kadmin.local -q "addprinc -policy service -randkey SERVICE/HOST"
- kadmin.local -q "ktadd -k /etc/keytabs/SERVICE.HOST SERVICE/HOST"
- (You must make sure that the UID chosen in AFS is above 1000.
You can't use UIDs <1000 because those are reserved for local system's IDs, and so such uids in AFS would mess up reported Unix ownership of files). pts cu SERVICE.HOST.hcoop.net (P.S. Can you tell pts the minimum ID to assign?)
- SERVICE.HOST to it:
- pts cg SERVICE pts ad SERVICE.HOST SERVICE
- Change shell at the top of script to "#!/usr/bin/pagsh.openafs" Change start-stop-daemon invocation in action 'start':
- start-stop-daemon --start --pidfile $PIDFILE \
-c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -f /etc/keytabs/SERVICE.hostname \ -K 300 -t -p $PIDFILE \ <The original start command>
- *Or if the service does not use start-stop-daemon itself, you still use it in
action 'start' to run k5start on a line before <The original start command> and later in 'stop' to close it:
- (start):
- start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
-c SERVICE:SERVICE \ --exec /usr/bin/k5start -- -U -b -K 300 -t -p /var/run/SERVICE/k5start-SERVICE.pid \ -f /etc/keytabs/SERVICE.hostname
- start-stop-daemon --stop --pidfile /var/run/SERVICE/k5start-SERVICE.pid rm -f /var/run/SERVICE/k5start-SERVICE.pid
- start-stop-daemon --start --pidfile /var/run/SERVICE/k5start-SERVICE.pid \
- (start):
- start-stop-daemon --start --pidfile $PIDFILE \
- if specific instance is important. (Mostly, you just add permissions to "SERVICE").
- (usually already done by Debian postinst scripts in form of