Hi Ben, now i only enabled the module in Apache without any directory / location directive which points to the afs filesystem path. For testing.
I have a look at error_log and mod_waklog renew the token sometimes a day. > I am far from an expert on mod_waklog (mostly, I just sat through a > presentation > or two on it and never used it), but I had the impression that it was > normally used to get credentials from the remote user, [by some unspecified > mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then > aklog to let apache access AFS as the remote user for servicing that given > request, then clean up/unlog the acquired token. yes, this seems to be the main idea of waklog. > That doesn't really seem > consistent with what you describe, which is as if apache has a keytab of > its own and is using *those* kerberos credentials (not those of the remote > user) to acquire a token. Yes, i configured a kerberos credential and keytab for apache and tell waklog to use them. As i wrote waklog renew them sometimes. > If that's the case, then that a token expires > is not very surpirsing, but I could not comment about whether expecting > automatic renewal is reasonable, since I don't know about that use case > at all. > > -Ben
smime.p7s
Description: S/MIME Cryptographic Signature
