We run our web server authenticated from a keytab. The keytab contains # /usr/heimdal/sbin/ktutil --keytab=/etc/krb5.keytab.web-daemon list Vno Type Principal 0 des3-cbc-sha1 web-daemon/[email protected] 0 aes128-cts-hmac-sha1-96 web-daemon/[email protected] 0 arcfour-hmac-md5 web-daemon/[email protected]
Then the webserver is started with heimdal kinit (which does all the pagsh and renew magic) with that keytab: # ps auxgwww | grep kinit root 31751 0.0 0.0 39880 2100 ? S Jul04 0:04 /usr/heimdal/bin/kinit --no-forward --no-renew --keytab=/etc/krb5.keytab.web-daemon --afslog web-daemon/[email protected] /usr/sbin/httpd -DNO_DETACH -D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D CACHE -D MEM_CACHE -D DAV -D STATUS -D AUTH_DIGEST -D PROXY -D USERDIR -D REWRITE -k start The web-daemon/[email protected] principal maps to this PTS identity (due to historical reasons the "/" is replaced with a "." in the OpenAFS pts to pricipal naming mapping, there are folks on this list who happen to know exactly why) $ pts exa web-daemon.scat.pdc.kth.se -c pdc.kth.se Name: web-daemon.scat.pdc.kth.se, id: 65531, owner: system:administrators, creator: haba.admin, membership: 4, flags: S----, group quota: 20. Then all web-daemons.x.y.z are member in this group: $ pts mem web-daemons -c pdc.kth.se Members of web-daemons (id: -32225) are: web-daemon.wrasse.pdc.kth.se web-daemon.schelly.pdc.kth.se web-daemon.scat.pdc.kth.se Then you give web-daemons the appropriate permissions in the file system. Harald. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
