Im running Apache 2.0.51 on Fedora Core 2.
My plan is to have many VirtualHosts each running as different users, so my config would look like
<VirtualHost *>
...
User wwwuser1
Group wwwuser1
AFSEngine on
AFSCache /tmp/krbcc_(wwwuser1's id)
AFSKeytab wwwuser1.keytab
...
</VirtualHots>
<VirtualHost *>
...
User wwwuser2
Group wwwuser2
AFSEngine on
AFSCache /tmp/krbcc_(wwwuser2's id)
AFSKeytab wwwuser2.keytab
...
</VirtualHots>
So each fork should run as different users and have it's own cache file, which if not present or expired will be created from the keytab file. Each VirtualHost is also setting it's own PAG, which I understand should make it possible for one user to hold many tokens by have many PAG's.
Is this possible or am I way out there ?
/Mikkel
PS: I could really need some pointers on a mod_afs module for apache 2 and afs 1.3.
On Fri, 2004-12-10 at 18:44 +0100, Sergio Gelato wrote:
* Mikkel Kruse Johnsen [2004-12-10 16:39:55 +0100]: > Im trying to make apache able to read AFS. I have found some examples on > the net but they are all fro apache 1.3, AFS 1.2 and Kerberos 4 > > I need apache 2, AFS 1.3.74 and Kerberos IV. Which MPM for Apache? The reason I'm asking is that a process cannot simultaneously hold tokens for more than one user per cell (unless this restriction has been removed in 1.3.x, but I doubt it since that would require a mechanism for choosing which of the several available identities should be used on any given file access). If you're multithreading this could be a serious problem. Even with the prefork MPM (still the default in 2.0, but maybe not in 2.1) you'll have to give each server process its own PAG. > Using the attached module I get in /var/log/message "Dec 10 15:54:08 > frodo kernel: afs: Tokens for user of AFS id 48 for cell linet.dk are > discarded (rxkad error=19270407)", which I think means bad ticket. > > I don't really know what Im doing, since I havent hacked in AFS or > Kerberos's API before, so this is a learning process. But my question is: > > In the examples they all copy the "v4creds.session" into > "ClearToken.HandShakeKey" but in v5creds there is no session key, I > think it is called keyblock. What is the sessionKey in Kerberos IV ? > > If anyone would like to help me out coding the module I would appreciate it. How about using Heimdal's libkafs to cut down on the work involved? There is also a counterpart, krbafs, for MIT Kerberos but it may require some work to port to your platform.
