Hi Andreas,
Getting systemd, apache, and kstart to play nice took a little bit of work.
I have included a sanitized copy of my Apache systemd unit file. Be sure to
modify the ExecStart line to have the correct keytab location and principal
name.
I have NOT tested this in selinux enforcing mode, so beware.
I think that kstart does create a new PAG, but I'm not certain. Be sure to
verify that by running bash via kstart, then running "id" to see if an
extra high-numbered numeric group appears. If no new PAG is created, then
you might play with the pagsh command.
Sincerely,
Jason
----------------------------cut----------------------------
[Unit]
# customized unit file to start apache with a kerberos keytab
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab
httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still
want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to
give
# httpd time to finish.
KillSignal=SIGCONT
# allow k5start child processes (i.e. apache) to notify system that it's up
NotifyAccess=all
PrivateTmp=false
[Install]
WantedBy=multi-user.target
----------------------------cut----------------------------
---------------------------------------------------------------------------
Jason Edgecombe | Linux Administrator
UNC Charlotte | The William States Lee College of Engineering
9201 University City Blvd. | Charlotte, NC 28223-0001
Phone: 704-687-1943
[email protected] | http://engr.uncc.edu | Facebook
---------------------------------------------------------------------------
If you are not the intended recipient of this transmission or a person
responsible for delivering it to the intended recipient, any disclosure,
copying, distribution, or other use of any of the information in this
transmission is strictly prohibited. If you have received this transmission
in error, please notify me immediately by reply e-mail or by telephone at
704-687-1943. Thank you.
On Tue, Jul 11, 2017 at 4:44 AM, Andreas Ladanyi <[email protected]>
wrote:
>
> ​mod_waklog is meant to be used as an .htaccess-style mechanism​ to let
> users supply credentials via a web browser so that apache can use those
> credentials to access user files. In this case, the apache process switches
> between multiple AFS users and the tokens only need to live for the brief
> life of the http request/session.
>
> Your timeout issues suggest that you are running apache with long-running
> tokens as a single user and those tokens need to be automatically renewed.
> If you're using this "apache needs persistent AFS access via a service
> account" use case, then you need to use k5start and a local keytab:
> https://www.eyrie.org/~eagle/software/kstart/k5start.html
>
> Ok. So i have to add k5start [options] ...... /usr/bin/httpd ..... in the
> default systemd start script from apache.
>
> Something like:
>
> ExecStart=/usr/bin/k5start -b -t -k /tmp/k5start_httpd -f keytab -K 10 -l
> 10h principal_from_keytab /usr/sbin/httpd $OPTIONS -DFOREGROUND
>
> I i understand it correctly the k5start will take a new tgt, create a new
> pag and call aklog to get a afs token which is put into the pag of the
> parent process.
>
> So i have to play with the flags -b, -K, -t
>
> Does kinit/k5start or aklog create a new pag in general ? I would say
> aklog.
>
>
> k5start is available in EPEL. I think there are debian packages as well.
>
> Jason
>
>
> ------------------------------------------------------------
> ---------------
> Jason Edgecombe | Linux Administrator
> UNC Charlotte | The William States Lee College of Engineering
> 9201 University City Blvd. | Charlotte, NC 28223-0001
> Phone: 704-687-1943
> [email protected] | http://engr.uncc.edu | Facebook
> ------------------------------------------------------------
> ---------------
> If you are not the intended recipient of this transmission or a person
> responsible for delivering it to the intended recipient, any disclosure,
> copying, distribution, or other use of any of the information in this
> transmission is strictly prohibited. If you have received this transmission
> in error, please notify me immediately by reply e-mail or by telephone at
> 704-687-1943. Thank you.
>
>
>
