Re: [OpenAFS] AFS Module for Apache

Mon, 13 Dec 2004 16:33:50 -0800

Hi Sergio and Others

Im running Apache 2.0.51 on Fedora Core 2.

My plan is to have many VirtualHosts each running as different users, so my config would look like

<VirtualHost *>
    ...
    User wwwuser1
    Group wwwuser1
    AFSEngine on
    AFSCache /tmp/krbcc_(wwwuser1's id)
    AFSKeytab wwwuser1.keytab
    ...
</VirtualHots>

<VirtualHost *>
    ...
    User wwwuser2
    Group wwwuser2
    AFSEngine on
    AFSCache /tmp/krbcc_(wwwuser2's id)
    AFSKeytab wwwuser2.keytab
    ...
</VirtualHots>

So each fork should run as different users and have it's own cache file, which if not present or expired will be created from the keytab file. Each VirtualHost is also setting it's own PAG, which I understand should make it possible for one user to hold many tokens by have many PAG's.

Is this possible or am I way out there ?

/Mikkel

PS: I could really need some pointers on a mod_afs module for apache 2 and afs 1.3.


On Fri, 2004-12-10 at 18:44 +0100, Sergio Gelato wrote: 
* Mikkel Kruse Johnsen [2004-12-10 16:39:55 +0100]:
> Im trying to make apache able to read AFS. I have found some examples on 
> the net but they are all fro apache 1.3, AFS 1.2 and Kerberos 4
> 
> I need apache 2, AFS 1.3.74 and Kerberos IV.

Which MPM for Apache?

The reason I'm asking is that a process cannot simultaneously hold tokens
for more than one user per cell (unless this restriction has been removed
in 1.3.x, but I doubt it since that would require a mechanism for choosing
which of the several available identities should be used on any given file
access). If you're multithreading this could be a serious problem. Even
with the prefork MPM (still the default in 2.0, but maybe not in 2.1)
you'll have to give each server process its own PAG.

> Using the attached module I get in /var/log/message "Dec 10 15:54:08 
> frodo kernel: afs: Tokens for user of AFS id 48 for cell linet.dk are 
> discarded (rxkad error=19270407)", which I think means bad ticket.
> 
> I don't really know what Im doing, since I havent hacked in AFS or 
> Kerberos's API before, so this is a learning process. But my question is:
> 
> In the examples they all copy the "v4creds.session" into 
> "ClearToken.HandShakeKey" but in v5creds there is no session key, I 
> think it is called keyblock. What is the sessionKey in Kerberos IV ?
> 
> If anyone would like to help me out coding the module I would appreciate it.

How about using Heimdal's libkafs to cut down on the work involved?
There is also a counterpart, krbafs, for MIT Kerberos but it may require
some work to port to your platform.

Reply via email to