[OpenAFS] AFS && Apache

Russ Allbery rra@stanford.edu
Wed, 15 May 2002 01:02:15 -0700

Turbo Fredriksson <turbo@bayour.com> writes:

> I set the variable 'KRB5CCNAME=FILE:/var/run/apache.krbenv', runs
> 'kinit -l 14d -k -t /etc/krb5.keytab.webserver webserver@BAYOUR.COM',
> then I execute 'aklog'. AFTER that, I start apache... Oh, and I chown
> /var/run/apache.krbenv as 33.33 (which apache is running as).

> Now, doing a 'su - 33' then setting the KRB5CCNAME variable, I see
> the ticket, BUT NOT THE TOKEN! Quite naturaly I can't access the web
> directory...

That's probably because the token is in a different PAG.

> So it seems that 'aklog' don't use the KRB5CCNAME variable, and that I
> get the token in the user shell...

If you're using a K5 aklog (I don't know what aklog you're using; there
are a lot of programs out there that use that name, some of which use K5
and some of which use K4; the latter wouldn't know anything about
KRB5CCNAME, of course), it should obey that variable and obtain a token,
but that token will be local to the enclosing PAG if you're running it
inside a PAG.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>