Profile

Cover photo
Anthony Messina
Attended National-Louis University
Lives in Chicago, IL, US
29 followers|47,940 views
AboutPostsPhotosVideos+1's

Stream

Anthony Messina

Shared publicly  - 
4
Hailey Messina and 4 more were tagged in Anthony Messina's photos.

Anthony Messina

Shared publicly  - 
1

Anthony Messina

Shared publicly  - 
 
The last day of my MBA program has arrived! I feel better already!
1
Marci Messina's profile photo
 
Congratulations Baby! We've missed you!

Anthony Messina

Shared publicly  - 
 
Screen display issue after upgrading a Thinkpad X200s to kernel-3.8.3-201.fc18.x86_64. 
1
Anthony Messina's profile photo
Have him in circles
29 people
Barbara Messina's profile photo
Sam Messina's profile photo
Jennifer Mehl's profile photo
Marci Messina and 2 more were tagged in Anthony Messina's photos.

Anthony Messina

Shared publicly  - 
 
An excellent read
1

Anthony Messina

Shared publicly  - 
 
Enjoying a spur of the moment dinner.
1
Kaitlyn Messina and Hailey Messina were tagged in Anthony Messina's photos.

Anthony Messina

Shared publicly  - 
1

Anthony Messina

Discussion  - 
 
I've been struggling with this one for a while...  If anyone has any pointers, I'd appreciate hearing them.

I have a few services that need to obtain Kerberos user tickets to be able to access NFSv4.1 filesystems in Fedora 18.  Mostly the services are for the "apache" and "mythtv" users.  In addition, I'd like to enable my MythTV frontends to login automatically after they've obtained their user tickets and can access their home directories, and other media directories.

In Fedora 17, the was relatively simple (hah!), as I would create a specific unit file similar to the following for the "apache" user:

.include /usr/lib/systemd/system/httpd.service
[Unit]
Requires=network.target
After=network.target

[Service]
Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab
Environment=KRB5CCSYSNAME=/tmp/krb5cc_48
Environment=KRB5CCNAME=FILE:/tmp/krb5cc_48
ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; /usr/bin/chown -R apache:apache ${KRB5CCSYSNAME} ; /usr/bin/chcon -R -t user_tmp_t ${KRB5CCSYSNAME}
PrivateTmp=false

Then in my "apache" user's cron job, I'd simply specify a line with the command "/usr/bin/kinit -R" and everything worked beautifully.

Now that I've upgraded many of my systems to Fedora 18 with the KRB5CCNAME changes, and with +systemd being so damned fast ;) I'm having lots of complications especially with the MythTV frontend autologin users which are are not local to any machine, but held in FreeIPA/SSSD

At first, I tried to use systemd-tmpfiles:
d /run/user/1234567 0700 mythtv-fe1 mythtv-fe1

but realized that systemd doesn't know about the mythtv-fe1 user at that point in the startup since sssd isn't started, so then I tried using the uidnumber instead:
d /run/user/1234567 0700 1234567 1234567

which didn't work :(

So I'm currently trying the following unit file which works sometimes, but other times I get the error systemd[1]: Cannot add dependency job for unit lightdm.service, ignoring: Unit mythtv-kinit.service failed to load: Cannot allocate memory. See system logs and 'systemctl status mythtv-kinit.service, which doesn't tell me anything useful.

[Unit]
Description=Kerberos v5 credentials for mythtv-fe1
Before=display-manager.service
After=network.target sssd.service

[Service]
Type=oneshot
User=mythtv-fe1
Environment=KRB5_KTNAME=/etc/mythtv/%u.keytab
Environment=KRB5CCNAME=DIR:/run/user/%U/krb5cc
PermissionsStartOnly=true
ExecStartPre=/usr/bin/mkdir -p -m 0700 /run/user/%U ; /usr/bin/mkdir -p -m 0700 /run/user/%U/krb5cc ; /bin/chown -R %u:%u /run/user/%U ; /usr/bin/chcon -R -t user_tmp_t /run/user/%U
ExecStart=/usr/bin/kinit -V -r 604800s -k -t ${KRB5_KTNAME} %u

[Install]
RequiredBy=display-manager.service

I keep thinking that there's got to be a better more native way of doing this, right???  Any help is appreciated in letting me know how to improve integration between +systemd and Kerberos.

Thanks and have a great day.
1
1
Anthony Messina's profile photoMantas Mikulėnas's profile photo
3 comments
 
Can any +systemd gurus offer some suggestions on this:

[Unit]
Description=k5start Kerberos ticket service for user: %i
Documentation=man:k5start(1)
Before=display-manager.service httpd.service mythbackend.service
After=network.target sssd.service

[Service]
User=%i
Type=forking
PIDFile=/run/user/%U/k5start.pid
#ConditionPathExists=/etc/k5start.d/%u.keytab
Environment=KRB5CCNAME=DIR:/run/user/%U/krb5cc
ExecStartPre=/usr/bin/mkdir -p -m 0700 /run/user/%U ; /usr/bin/mkdir -p -m 0700 /run/user/%U/krb5cc ; /bin/chown -R %u:%u /run/user/%U ; /usr/bin/chcon -R -t user_tmp_t /run/user/%U
ExecStart=/usr/bin/k5start -b -f /etc/k5start.d/%u.keytab -K 60 -p /run/user/%U/k5start.pid -L -v -U
ExecReload=/bin/kill -ALRM $MAINPID
PermissionsStartOnly=true

[Install]
WantedBy=multi-user.target
Add a comment...
People
Have him in circles
29 people
Barbara Messina's profile photo
Sam Messina's profile photo
Jennifer Mehl's profile photo
Education
  • National-Louis University
    MBA, 2010 - 2013
  • Bradley University
    BSN, 1995 - 2001
Basic Information
Gender
Male
Relationship
Married
Work
Occupation
Emergency Department Nurse
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Chicago, IL, US
Anthony Messina's +1's are the things they like, agree with, or want to recommend.
A Nation of Wimps
www.psychologytoday.com

Parents are going to ludicrous lengths to take the bumps out of life for their children. However, parental hyperconcern has the net effect o

End Piracy, Not Liberty – Google
www.google.com

Millions of Americans oppose SOPA and PIPA because these bills would censor the Internet and slow economic growth in the U.S.. Two bills bef

'Blues Brothers' mall set to star in demolition
www.chicagotribune.com

Bulldozers soon may finish what Jake and Elwood started more than 30 years ago: the destruction of the Dixie Square Mall.

LiCo - The New Linux Counter Project
linuxcounter.net

The New Linux Counter was created in order to replace and revive the good old, original Linux Counter Project on counter.li.org. Alexander M

CSipSimple
market.android.com

CSipSimple - High quality OpenSource SIP OpenSource (GPL) project for SIP on Android. * High performances * Rewriting/filtering rules for

SVGGraph - a PHP SVG graph library
www.goat1000.com

SVGGraph 2.10 - a PHP SVG graph library. Skip to: Using SVGGraph · SVG in HTML · General settings · Bar graphs · 3D bar graphs · Horizontal

CTA to auction off unused supplies to raise cash
www.chicagotribune.com

Once meant for public trains and buses, the untouched heaters, rod ends and spools of copper wire have instead collected dust for years at t

Messinet Secure Services
messinet.com

On Friday, 2012-11-16 at 08:00 CST, Messinet Secure Services will begin the switch from ADSL internet service provided by Cyberonic Internet

Free Accounting Software | GnuCash
www.gnucash.org

A personal and small-business financial-accounting software, licensed under GNU/GPL and available for Linux, Windows, Mac OS X, BSD, and Sol

Digium AEX422e — VoIP Supply
ziz.bz

Digium AEX422e. Get your Digium AEX422e from the Digium experts. Learn about, review and purchase the Digium AEX422e here today!

csipsimple
code.google.com

SIP application for Android devices

CardDAV-Sync beta
market.android.com

CardDAV-Sync is a CardDAV client for Android to synchronize contacts. Due to its implementation as sync adapter it integrates seamlessly wit

CalDAV-Sync beta
market.android.com

CalDAV-Sync is a CalDAV client for Android to synchronize events. Due to its implementation as sync adapter it integrates seamlessly with th

mythmote
market.android.com

Mythtv frontend control interface. Mythmote allows you to control MythTV frontends through a network connection. Features include multiple f

Rahm Emanuel to middle class: Don’t leave for better schools - Chicago S...
www.suntimes.com

Mayor Rahm Emanuel has a message to the middle class: Don’t leave my city in pursuit of a high-quality, high school education for your kids.

Transit Tracks: Chicago - Apps on Android Market
market.android.com

Whether you live in the Windy City or you're just passing by, Transit Tracks: Chicago is an indispensable tool for tracking real-time CTA bu

IaxAgent Beta - Apps on Android Market
market.android.com

IaxAgent allows you to make phone calls using VoIP. Ideally for reducing the cost of your long distance calls when configured with your pref

Google Groups - Wifi vs. Cellular & DNS resolution issues/Flush DNS ...
groups.google.com

Cellular & DNS resolution issues/Flush DNS cache on network change, Anthony Messina, 2/3/12 6:49 AM, I am having issues resolving proper