> ​mod_waklog is meant to be used as an .htaccess-style mechanism​ to > let users supply credentials via a web browser so that apache can use > those credentials to access user files. In this case, the apache > process switches between multiple AFS users and the tokens only need > to live for the brief life of the http request/session. > > Your timeout issues suggest that you are running apache with > long-running tokens as a single user and those tokens need to be > automatically renewed. If you're using this "apache needs persistent > AFS access via a service account" use case, then you need to use > k5start and a local keytab: > https://www.eyrie.org/~eagle/software/kstart/k5start.html > <https://www.eyrie.org/%7Eeagle/software/kstart/k5start.html> Ok. So i have to add k5start [options] ...... /usr/bin/httpd ..... in the default systemd start script from apache.
Something like: ExecStart=/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab -K 10 -l 10h principal_from_keytab /usr/sbin/httpd $OPTIONS -DFOREGROUND I i understand it correctly the k5start will take a new tgt, create a new pag and call aklog to get a afs token which is put into the pag of the parent process. So i have to play with the flags -b, -K, -t Does kinit/k5start or aklog create a new pag in general ? I would say aklog. > > k5start is available in EPEL. I think there are debian packages as well. > > Jason > > > --------------------------------------------------------------------------- > Jason Edgecombe | Linux Administrator > UNC Charlotte | The William States Lee College of Engineering > 9201 University City Blvd. | Charlotte, NC 28223-0001 > Phone: 704-687-1943 <tel:704-687-1943> > [email protected] <mailto:[email protected]> | http://engr.uncc.edu | > Facebook > --------------------------------------------------------------------------- > If you are not the intended recipient of this transmission or a person > responsible for delivering it to the intended recipient, any > disclosure, copying, distribution, or other use of any of the > information in this transmission is strictly prohibited. If you have > received this transmission in error, please notify me immediately by > reply e-mail or by telephone at > 704-687-1943 <tel:704-687-1943>. Thank you.
smime.p7s
Description: S/MIME Cryptographic Signature
