[OpenAFS] Webserver, openAFS, kerberos
Mon, 26 Feb 2007 09:03:41 -0500
A token for the apache process is not required for a read-only setup.
That said, you will need a token or IP ACL for write access.
Tell apache to use public_html in the users home folder and then run the
following commands to give anonymous access to the proper folders.
fs sa ~ system:anyuser l
fs sa ~/public_html system:anyuser rl
Those are the minimal permissions to have apache read a user's
public_html folder. Be sure that all of the ancestor directories of the
home directory have at least "system:anyuser l" access.
As for your server set up, I strongly recommend that your afs server be
a separate machine or VM and that it not be a webserver or an X terminal
server. X is insecure, so you might try freenx instead
If you can't afford an extra machine to put the afs server on, run Xen
or VMware server and put the AFS server, X terminal server, and web
servr in separate VM's.
Christof Hanke wrote:
> Well, you have to give your apache-server a token
> at startup and set the ACL on the public-html dir so that the apache
> can read it using this token. That's all.
> There are a number of mails on this list how to give a daemon a
> persistent token.
> Alexander Al wrote:
>> We have a openAFS-server on FC5 and in time we will provide
>> a X window terminal server on our network. The latter isn't the problem.
>> But there is also a request for servicing a Webserver. Now I have here
>> a problem, is there a system or method that users can have a public_html
>> folder in their home-dirs on the openAFS-server but Apache can read
>> those directory's?
>> Hopefully someone can help me on this one.
> OpenAFS-info mailing list