Andreas, Try modifying your systemd unit file to add the "-t" parameter as follows:
ExecStart=/usr/bin/k5start -o apache -K30 -t -f /etc/httpd.keytab httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND The "-t" option runs the aklog command to grab tokens. I don't use this because my AFS folders are granted via IP ACLs and the kerberos credentials are only used for accessing kerberized SMB shares. Sincerely, Jason --------------------------------------------------------------------------- Jason Edgecombe | Linux Administrator UNC Charlotte | The William States Lee College of Engineering 9201 University City Blvd. | Charlotte, NC 28223-0001 Phone: 704-687-1943 [email protected] | http://engr.uncc.edu | Facebook --------------------------------------------------------------------------- If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by reply e-mail or by telephone at 704-687-1943. Thank you. On Thu, Jul 13, 2017 at 5:59 AM, Andreas Ladanyi <[email protected]> wrote: > Hi Jason, > > i tried out your systemd config as below. I have a CentOS 7 box. > > k5start and Apache starts. > > pstree: > ==== > > k5start───httpd───10*[httpd───2*[{httpd}]] > > > less /proc/fs/openafs/unixusers: > =================== > > UID/PAG Refs States Cell ViceID Tok Set Tok > Begin Tok Expire vno NFS Client UID/PAG Client UID Sysname(s) > 0 0 0005 cellname 0 1499920292 1499920290 > 1499963490 256 > 1000 0 0005 cellname 1 1499930214 1499930215 > 1499966212 256 > 1091860458 0 0005 cellname 29787 1499931869 1499931870 > 1499967869 256 > > > > The VideID 29787 is the afs id of the correct afs username > (afsweb.fqdn_of_the_host) in pts. The keytab which k5start reads contains > the kerberos principal (afsweb/fqdn_of_the_host@REALM). > > I set read (rl) permission for the afs username afsweb.fqdn_of_the_host > (29787) on the folder which contain the webfiles and "lookup" permission to > all parent folders of the webfolder. Apache tells me he cant access to the > webfolder (DocumentRoot). > > Another problem i found out is apache cant open logfiles in the afs path > and cant start: > (13)Permission denied: AH00091: httpd: could not open error log file > /afs/............. > > sestatus: > ===== > > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: permissive > Mode from config file: error (Success) > Policy MLS status: enabled > Policy deny_unknown status: allowed > Max kernel policy version: 28 > > > regards, > Andreas > > Hi Andreas, > > Getting systemd, apache, and kstart to play nice took a little bit of > work. I have included a sanitized copy of my Apache systemd unit file. Be > sure to modify the ExecStart line to have the correct keytab location and > principal name. > > I have NOT tested this in selinux enforcing mode, so beware. > > I think that kstart does create a new PAG, but I'm not certain. Be sure to > verify that by running bash via kstart, then running "id" to see if an > extra high-numbered numeric group appears. If no new PAG is created, then > you might play with the pagsh command. > > Sincerely, > Jason > > ----------------------------cut---------------------------- > [Unit] > # customized unit file to start apache with a kerberos keytab > Description=The Apache HTTP Server > After=network.target remote-fs.target nss-lookup.target > Documentation=man:httpd(8) > Documentation=man:apachectl(8) > > [Service] > Type=notify > EnvironmentFile=/etc/sysconfig/httpd > ExecStart=/usr/bin/k5start -o apache -K30 -f /etc/httpd.keytab > httpd-principal-name -- /usr/sbin/httpd $OPTIONS -DFOREGROUND > ExecReload=/usr/sbin/httpd $OPTIONS -k graceful > ExecStop=/bin/kill -WINCH ${MAINPID} > # We want systemd to give httpd some time to finish gracefully, but still > want > # it to kill httpd after TimeoutStopSec if something went wrong during the > # graceful stop. Normally, Systemd sends SIGTERM signal right after the > # ExecStop, which would kill httpd. We are sending useless SIGCONT here to > give > # httpd time to finish. > KillSignal=SIGCONT > > # allow k5start child processes (i.e. apache) to notify system that it's up > NotifyAccess=all > PrivateTmp=false > > [Install] > WantedBy=multi-user.target > ----------------------------cut---------------------------- > > >
