Dept of Computer Science

Technical Staff

I have a long-running process. How can I maintain access to my AFS files?

Last updated: January 19th, 2017 03:13 PM

Long-running processes that need access to AFS files must use this mechanism to keep their AFS token active. In the example below, replace 'username' with your user name.

  1. Create a keytab file containing your password in encrypted format. Do this once at the beginning and again each time after you change your password:
         % cd ~/private
         % rm -f username.keytab
         % ktutil
         ktutil:  addent -password -p username@DEPT.CS.PITT.EDU -k 1 -e aes256-cts
         Password for username@DEPT.CS.PITT.EDU:  [enter your password]
         ktutil:  wkt username.keytab
         ktutil:  quit
         %
    

    Please keep this keytab file in a secure place. Anyone who gets a copy of your keytab file can authenticate themselves as you.

  2. Then, each time you need to have a long-running process, copy your keytab file to /var/tmp and protect it so that only you can read it:
         % cp ~/private/username.keytab /var/tmp
         % chmod 400 /var/tmp/username.keytab
    
  3. Start up a daemon process that renews your tickets periodically:

    For tcsh:

         % setenv AKLOG /usr/bin/aklog
         % k5start -b -t -K 600 -p /var/tmp/username.pid -f /var/tmp/username.keytab username@DEPT.CS.PITT.EDU
    

    For bash:

         % export AKLOG=/usr/bin/aklog
         % k5start -b -t -K 600 -p /var/tmp/username.pid -f /var/tmp/username.keytab username@DEPT.CS.PITT.EDU
    
  4. Once your project is done, kill the k5start process and remove your keytab from /var/tmp:
         % kill `cat /var/tmp/username.pid`
         % rm /var/tmp/username.keytab /var/tmp/username.pid