On Mon, Jul 03, 2017 at 04:45:16PM +0200, Andreas Ladanyi wrote: > Hi, > > I test Apache2 with mod_waklog. > > When will waklog autorenew the ticket/token ? > > After a duration of time apache is running i get error messages in the > apache log that apache cant write to afs path. Maybe this could be > because the ticket/token is invalid. > > I would expect that waklog will renew this automatically ?! > > Or do i have to restart apache all days or increase the ticket lifetime > to an exorbitant number ?
I am far from an expert on mod_waklog (mostly, I just sat through a presentation or two on it and never used it), but I had the impression that it was normally used to get credentials from the remote user, [by some unspecified mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then aklog to let apache access AFS as the remote user for servicing that given request, then clean up/unlog the acquired token. That doesn't really seem consistent with what you describe, which is as if apache has a keytab of its own and is using *those* kerberos credentials (not those of the remote user) to acquire a token. If that's the case, then that a token expires is not very surpirsing, but I could not comment about whether expecting automatic renewal is reasonable, since I don't know about that use case at all. -Ben _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
