​mod_waklog is meant to be used as an .htaccess-style mechanism​ to let users supply credentials via a web browser so that apache can use those credentials to access user files. In this case, the apache process switches between multiple AFS users and the tokens only need to live for the brief life of the http request/session.
Your timeout issues suggest that you are running apache with long-running tokens as a single user and those tokens need to be automatically renewed. If you're using this "apache needs persistent AFS access via a service account" use case, then you need to use k5start and a local keytab: https://www.eyrie.org/~eagle/software/kstart/k5start.html k5start is available in EPEL. I think there are debian packages as well. Jason --------------------------------------------------------------------------- Jason Edgecombe | Linux Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-1943 [email protected] | http://engr.uncc.edu | Facebook --------------------------------------------------------------------------- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943. Thank you. On Mon, Jul 3, 2017 at 11:52 AM, Benjamin Kaduk <[email protected]> wrote: > On Mon, Jul 03, 2017 at 04:45:16PM +0200, Andreas Ladanyi wrote: > > Hi, > > > > I test Apache2 with mod_waklog. > > > > When will waklog autorenew the ticket/token ? > > > > After a duration of time apache is running i get error messages in the > > apache log that apache cant write to afs path. Maybe this could be > > because the ticket/token is invalid. > > > > I would expect that waklog will renew this automatically ?! > > > > Or do i have to restart apache all days or increase the ticket lifetime > > to an exorbitant number ? > > I am far from an expert on mod_waklog (mostly, I just sat through a > presentation > or two on it and never used it), but I had the impression that it was > normally used to get credentials from the remote user, [by some unspecified > mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then > aklog to let apache access AFS as the remote user for servicing that given > request, then clean up/unlog the acquired token. That doesn't really seem > consistent with what you describe, which is as if apache has a keytab of > its own and is using *those* kerberos credentials (not those of the remote > user) to acquire a token. If that's the case, then that a token expires > is not very surpirsing, but I could not comment about whether expecting > automatic renewal is reasonable, since I don't know about that use case > at all. > > -Ben > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info >
