[OpenAFS] AFS Module for Apache

Mikkel Kruse Johnsen mikkel@linet.dk
Tue, 14 Dec 2004 16:00:26 +0100


--=-9uisN0xsy/lgx5hEBnsj
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi Sergio and Others

Im running Apache 2.0.51 on Fedora Core 2.

My plan is to have many VirtualHosts each running as different users, so
my config would look like

<VirtualHost *>
    ...
    User wwwuser1
    Group wwwuser1
    AFSEngine on
    AFSCache /tmp/krbcc_(wwwuser1's id)
    AFSKeytab wwwuser1.keytab
    ...
</VirtualHots>

<VirtualHost *>
    ...
    User wwwuser2
    Group wwwuser2
    AFSEngine on
    AFSCache /tmp/krbcc_(wwwuser2's id)
    AFSKeytab wwwuser2.keytab
    ...
</VirtualHots>

So each fork should run as different users and have it's own cache file,
which if not present or expired will be created from the keytab file.
Each VirtualHost is also setting it's own PAG, which I understand should
make it possible for one user to hold many tokens by have many PAG's.

Is this possible or am I way out there ?

/Mikkel

PS: I could really need some pointers on a mod_afs module for apache 2
and afs 1.3.


On Fri, 2004-12-10 at 18:44 +0100, Sergio Gelato wrote:

> * Mikkel Kruse Johnsen [2004-12-10 16:39:55 +0100]:
> > Im trying to make apache able to read AFS. I have found some examples on 
> > the net but they are all fro apache 1.3, AFS 1.2 and Kerberos 4
> > 
> > I need apache 2, AFS 1.3.74 and Kerberos IV.
> 
> Which MPM for Apache?
> 
> The reason I'm asking is that a process cannot simultaneously hold tokens
> for more than one user per cell (unless this restriction has been removed
> in 1.3.x, but I doubt it since that would require a mechanism for choosing
> which of the several available identities should be used on any given file
> access). If you're multithreading this could be a serious problem. Even
> with the prefork MPM (still the default in 2.0, but maybe not in 2.1)
> you'll have to give each server process its own PAG.
> 
> > Using the attached module I get in /var/log/message "Dec 10 15:54:08 
> > frodo kernel: afs: Tokens for user of AFS id 48 for cell linet.dk are 
> > discarded (rxkad error=19270407)", which I think means bad ticket.
> > 
> > I don't really know what Im doing, since I havent hacked in AFS or 
> > Kerberos's API before, so this is a learning process. But my question is:
> > 
> > In the examples they all copy the "v4creds.session" into 
> > "ClearToken.HandShakeKey" but in v5creds there is no session key, I 
> > think it is called keyblock. What is the sessionKey in Kerberos IV ?
> > 
> > If anyone would like to help me out coding the module I would appreciate it.
> 
> How about using Heimdal's libkafs to cut down on the work involved?
> There is also a counterpart, krbafs, for MIT Kerberos but it may require
> some work to port to your platform.

--=-9uisN0xsy/lgx5hEBnsj
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
Hi Sergio and Others<BR>
<BR>
Im running Apache 2.0.51 on Fedora Core 2.<BR>
<BR>
My plan is to have many VirtualHosts each running as different users, so my config would look like<BR>
<BR>
&lt;VirtualHost *&gt;<BR>
&nbsp;&nbsp;&nbsp; ...<BR>
&nbsp;&nbsp;&nbsp; User wwwuser1<BR>
&nbsp;&nbsp;&nbsp; Group wwwuser1<BR>
&nbsp;&nbsp;&nbsp; AFSEngine on<BR>
&nbsp;&nbsp;&nbsp; AFSCache /tmp/krbcc_(wwwuser1's id)<BR>
&nbsp;&nbsp;&nbsp; AFSKeytab wwwuser1.keytab<BR>
&nbsp;&nbsp;&nbsp; ...<BR>
&lt;/VirtualHots&gt;<BR>
<BR>
&lt;VirtualHost *&gt;<BR>
&nbsp;&nbsp;&nbsp; ...<BR>
&nbsp;&nbsp;&nbsp; User wwwuser2<BR>
&nbsp;&nbsp;&nbsp; Group wwwuser2<BR>
&nbsp;&nbsp;&nbsp; AFSEngine on<BR>
&nbsp;&nbsp;&nbsp; AFSCache /tmp/krbcc_(wwwuser2's id)<BR>
&nbsp;&nbsp;&nbsp; AFSKeytab wwwuser2.keytab<BR>
&nbsp;&nbsp;&nbsp; ...<BR>
&lt;/VirtualHots&gt;<BR>
<BR>
So each fork should run as different users and have it's own cache file, which if not present or expired will be created from the keytab file. Each VirtualHost is also setting it's own PAG, which I understand should make it possible for one user to hold many tokens by have many PAG's.<BR>
<BR>
Is this possible or am I way out there ?<BR>
<BR>
/Mikkel<BR>
<BR>
PS: I could really need some pointers on a mod_afs module for apache 2 and afs 1.3.<BR>
<BR>
<BR>
On Fri, 2004-12-10 at 18:44 +0100, Sergio Gelato wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">* Mikkel Kruse Johnsen [2004-12-10 16:39:55 +0100]:</FONT>
<FONT COLOR="#000000">&gt; Im trying to make apache able to read AFS. I have found some examples on </FONT>
<FONT COLOR="#000000">&gt; the net but they are all fro apache 1.3, AFS 1.2 and Kerberos 4</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; I need apache 2, AFS 1.3.74 and Kerberos IV.</FONT>

<FONT COLOR="#000000">Which MPM for Apache?</FONT>

<FONT COLOR="#000000">The reason I'm asking is that a process cannot simultaneously hold tokens</FONT>
<FONT COLOR="#000000">for more than one user per cell (unless this restriction has been removed</FONT>
<FONT COLOR="#000000">in 1.3.x, but I doubt it since that would require a mechanism for choosing</FONT>
<FONT COLOR="#000000">which of the several available identities should be used on any given file</FONT>
<FONT COLOR="#000000">access). If you're multithreading this could be a serious problem. Even</FONT>
<FONT COLOR="#000000">with the prefork MPM (still the default in 2.0, but maybe not in 2.1)</FONT>
<FONT COLOR="#000000">you'll have to give each server process its own PAG.</FONT>

<FONT COLOR="#000000">&gt; Using the attached module I get in /var/log/message &quot;Dec 10 15:54:08 </FONT>
<FONT COLOR="#000000">&gt; frodo kernel: afs: Tokens for user of AFS id 48 for cell linet.dk are </FONT>
<FONT COLOR="#000000">&gt; discarded (rxkad error=19270407)&quot;, which I think means bad ticket.</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; I don't really know what Im doing, since I havent hacked in AFS or </FONT>
<FONT COLOR="#000000">&gt; Kerberos's API before, so this is a learning process. But my question is:</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; In the examples they all copy the &quot;v4creds.session&quot; into </FONT>
<FONT COLOR="#000000">&gt; &quot;ClearToken.HandShakeKey&quot; but in v5creds there is no session key, I </FONT>
<FONT COLOR="#000000">&gt; think it is called keyblock. What is the sessionKey in Kerberos IV ?</FONT>
<FONT COLOR="#000000">&gt; </FONT>
<FONT COLOR="#000000">&gt; If anyone would like to help me out coding the module I would appreciate it.</FONT>

<FONT COLOR="#000000">How about using Heimdal's libkafs to cut down on the work involved?</FONT>
<FONT COLOR="#000000">There is also a counterpart, krbafs, for MIT Kerberos but it may require</FONT>
<FONT COLOR="#000000">some work to port to your platform.</FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>

--=-9uisN0xsy/lgx5hEBnsj--