[OpenAFS] Re: Authentication weirdness

[Chris Snyder]

> I have the followin in /etc/pam.d/httpd:
> 
> auth       required   /lib/security/pam_afs.so.1        ignore_root dont_fork
> account    required   /lib/security/pam_afs.so.1
> session    optional   /lib/security/pam_afs.so.1
> 
> 
>>Also, the PAM_SetCred on command gets rejected by Apache as not being 
>>supported (server error).
> 
> 
> Hm. Strange. It seems that the directives are actually called
> "AuthPAM_SetCred" and "AuthPAM_Enabled".

Well, I've made some progress. I've now gotten to the point where 
authentication works (the pam.d/httpd file was the culprit), however I'm 
still having issues with tokens. My Apache server has its own user token 
that is automatically renewed via cronjob. All of the directories in my 
web tree are readable only by site admins and the Apache server, since 
many contain PHP source with database passwords and soforth. Therefore, 
the Apache token is crucial. When a user authenticates, their token 
seems to be overriding the Apache token. This causes a lot of problems, 
since the majority of users (all but me at the moment) have no read 
access to the directory. In addition, after the request, the Apache 
process does not regain its own token, and subsequent requests to that 
process fail, even for other non-authenticated sites.

Setting AuthPAM_SetCred Off doesn't help any, in fact it makes things 
worse to some degree. Before, I was able to access the authenticated 
directory with my login, since I have read access to the directory as a 
site admin. However, with this set to off, the server has no tokens, and 
I get a 403 like all other users.

Is there any way to authenticate without obtaining tokens at all? This 
is what I really need. Thanks for your help.