I have a long-running process. How can I maintain access to my AFS files?
Last updated: September 18th, 2018 03:57 PM
Long-running processes that need access to AFS files must use this mechanism to keep their AFS token active. In the example below, replace 'username' with your user name.
- Create a keytab file containing your Pitt password in encrypted format. Do this once at the beginning and again each time after you change your password:
$ cd ~/private $ rm -f username.keytab $ ktutil ktutil: addent -password -p USERNAME@UNIV.PITT.EDU -k 1 -e aes256-cts Password for USERNAME@UNIV.PITT.EDU: [enter your Pitt password] ktutil: wkt username.keytab ktutil: quit $
IMPORTANT NOTE: Your username in the command above MUST be in all UPPER-CASE. Failure to do this will result in a keytab that does not work.
Please keep this keytab file in a secure place. Anyone who gets a copy of your keytab file can authenticate themselves as you.
- Then, each time you need to have a long-running process, copy your keytab file to /var/tmp and protect it so that only you can read it:
$ cp ~/private/username.keytab /var/tmp $ chmod 400 /var/tmp/username.keytab
- Start up a new Process Authentication Group (PAG), then within that, run the k5start daemon process that renews your tickets periodically, then run the 'screen' process manager:
For bash:
$ pagsh $ export AKLOG=/usr/bin/aklog $ k5start -b -t -K 600 -p /var/tmp/username.pid -f /var/tmp/username.keytab USERNAME@UNIV.PITT.EDU $ screen [...]
For tcsh:
% pagsh % setenv AKLOG /usr/bin/aklog % k5start -b -t -K 600 -p /var/tmp/username.pid -f /var/tmp/username.keytab USERNAME@UNIV.PITT.EDU % screen [...]
IMPORTANT NOTE: Your username in the commands above MUST be in all UPPER-CASE, otherwise the authentication will fail.
- Once your project is done, exit screen and kill the k5start process and remove your keytab from /var/tmp:
$ kill `cat /var/tmp/username.pid` $ rm /var/tmp/username.keytab /var/tmp/username.pid