[OpenAFS] AFS && Apache

Marcus Watts mdw@umich.edu
Wed, 15 May 2002 03:21:46 -0400


Turbo Fredriksson <turbo@bayour.com> writes:
> I've moved my web directory to AFS space. I'm running
> TWO webserver, Roxen2 and Apache. I only run Apache
> because I have not been luckily getting PHP working
> with Roxen...
> 
> In the init scripts, i get a KerberosV ticket AND a
> AFS token...
> 
> Roxen work like a charm, but not Apache. I keep getting
> '403 Forbidden' from apache.
> 
> When doing it in the shell (getting the webserver ticket
> and token) I have the right to view anything apache should
> have access to. 'tokens' show me that I have the right
> AFS tokens...
> 
> It SEEMS like apache/apachectl is destroying the environment...
> 
> Any ideas anyone?

Apache probably does munge the environment, but if you can't read
files, then that's not an environment issue; you probably somehow no
longer have a token, and that's a kernel cache manager issue.  Unless
you built something for apache that knows about tokens, apache
shouldn't be losing that.  Apache *does* know to do a "setuid".  If you
haven't run a "setpag" before you run apache, then the setuid() call
will result in apache seeing the default tokens for user "nobody"
rather than the default tokens for (presumably) root - that would be
my first guess as to what's happening.  You probably *really* want to
apache in its own pag and not root's, -- that way, you can log in
separately as root, get tokens, and not break apache.

Apachectl doesn't by default know anything about pags.  That means you
have to really pay attention to what apachectl is doing under the skin
when you use it, because if it decides to rerun apache, the restarted
copy will likely start off in your pag.

Other things you can do:
 (1) run apache under ktrace/truss/strace - trace system calls,
	and see what apache does, up to & including what files
	it really tries to access, and what the real return code was.
 (2) run "tokens" from a cgi script.  See if you really have tokens
	then.
 (3) turn "tokens" into an apache module, run it as part of the
	server, see what that returns.
 (4) review your apache modules.  Did you load anything (pam,
	kerberos, custom module, etc.) that might be doing a
	setpag call?
 (5) Think about how you really want to manage kerberos tickets,
	afs tokens, keytabs, and renewing service tickets.
	If you don't need to do this per apache request,
	then "reauth" might serve your needs.  If you want
	to do per-request stuff, you may want an apache module
	that does a "setpag" for you.  If so, say what you
	want to do in as much relevant detail as possible
	and ask - people may have modules ...

				-Marcus