[OpenAFS] Website files in AFS

[Russ Allbery]

Lukas Kubin <kubin@opf.slu.cz> writes:

> Thank your for the answer. I have more questions:

> 1. What determines whether a process is run inside or outside a PAG?

Basically, whether or not any process in its ancestry has ever called
setpag().

> I tried to kinit different principal and aklog as root in another shell
> using the same K5 cache file. It didn't affected serving AFS files by
> Apache. Does it mean the Apache is running from within a PAG?

Probably not.

It could mean a couple of different things.  First, Apache isn't likely
serving out files as root, so any changes you make to root's tokens won't
change Apache anyway.  Second, if you did this from a regular shell login,
*you* were probably in a PAG, at least if you have AFS fully set up.

If you have a non-crippled id program (Solaris's version from /usr/bin is
crippled; GNU's is not), you should be able to see when you're in a PAG.

elaine39:~> id
uid=11857(rra) gid=0(root) groups=33536,32564,0(root)

See those two extra high-numbered groups?  That indicates that I'm in a
PAG.

> 2. Is the schema I used (ie. keys in /etc/krb5.keytab and cache in
> /tmp/krb5cc_system.webserver) similar to what do others in AFS networks
> use, or does it have any drawback I will meet in near future?

It's basically what we do; we maintain the ticket with k5start (which you
can get from <http://www.eyrie.org/~eagle/kstart/>) rather than kinit, but
that's less necessary with K5 than it was with K4.  k5start still has some
nice abilities to run as a daemon, though (we generally run it under djb's
supervise).

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>