[OpenAFS] mod_waklog question

Benjamin Kaduk kaduk@mit.edu
Mon, 3 Jul 2017 10:52:39 -0500

On Mon, Jul 03, 2017 at 04:45:16PM +0200, Andreas Ladanyi wrote:
> Hi,
> I test Apache2 with mod_waklog.
> When will waklog autorenew the ticket/token ?
> After a duration of time apache is running i get error messages in the
> apache log that apache cant write to afs path. Maybe this could be
> because the ticket/token is invalid.
> I would expect that waklog will renew this automatically ?!
> Or do i have to restart apache all days or increase the ticket lifetime
> to an exorbitant number ?

I am far from an expert on mod_waklog (mostly, I just sat through a present=
or two on it and never used it), but I had the impression that it was
normally used to get credentials from the remote user, [by some unspecified
mechanism populate KRB5CCNAME with a krb5 ccache for that user], and then
aklog to let apache access AFS as the remote user for servicing that given
request, then clean up/unlog the acquired token.  That doesn't really seem
consistent with what you describe, which is as if apache has a keytab of
its own and is using *those* kerberos credentials (not those of the remote
user) to acquire a token.  If that's the case, then that a token expires
is not very surpirsing, but I could not comment about whether expecting
automatic renewal is reasonable, since I don't know about that use case
at all.