[OpenAFS] Webserver, openAFS, kerberos

Jason Edgecombe jason@rampaginggeek.com
Mon, 26 Feb 2007 09:03:41 -0500


A token for the apache process is not required for a read-only setup. 
That said, you will need a token or IP ACL for write access.

Tell apache to use public_html in the users home folder and then run the 
following commands to give anonymous access to the proper folders.

fs sa ~ system:anyuser l
fs sa ~/public_html system:anyuser rl

Those are the minimal permissions to have apache read a user's 
public_html folder. Be sure that all of the ancestor directories of the 
home directory have at least "system:anyuser l" access.

As for your server set up, I strongly recommend that your afs server be 
a separate machine or VM and that it not be a webserver or an X terminal 
server. X is insecure, so you might try freenx instead 

If you can't afford an extra machine to put the afs server on, run Xen 
or VMware server and put the AFS server, X terminal server, and web 
servr in separate VM's.


Christof Hanke wrote:
> Well, you have to give your apache-server a token
> at startup and set the ACL on the public-html dir so that the apache 
> can read it using this token. That's all.
> There are a number of mails on this list how to give a daemon a 
> persistent token.
> Christof
> Alexander Al wrote:
>> Hi,
>> We have a openAFS-server on FC5 and in time we will provide
>> a X window terminal server on our network. The latter isn't the problem.
>> But there is also a request for servicing a Webserver. Now I have here
>> a problem, is there a system or method that users can have a public_html
>> folder in their home-dirs on the openAFS-server but Apache can read
>> those directory's?
>> Hopefully someone can help me on this one.
>> regards,
>> Alexander.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info