[OpenAFS] Re: httpd -setpag problems?!

TIARA System Man sysman@tiara.sinica.edu.tw
Mon, 21 Jul 2008 11:51:43 +0800 

hi russ,

thanks for the help!! however, it complained " k5start: cannot create
PAG: AFS support is not available".  do you have any idea of this?

Stopping httpd:                                            [  OK  ]
Starting httpd: k5start: cannot create PAG: AFS support is not available

thanks, sam

"TIARA System Man" <sysman@tiara.sinica.edu.tw> writes:

> BUT, i modify "/etc/rc.d/init.d/httpd" file as  following :
> (omit)
> PRE_CMD1="/usr/kerberos/bin/kinit -l 1d -k -t /etc/httpd/conf/http.keytab
> HTTP/lesoleil.tiara.sinica.edu.tw"
> PRE_CMD2="/usr/bin/aklog -d -setpag"
> POST_CMD="/usr/kerberos/bin/kdestroy"

aklog -setpag doesn't work with modern kernels in various different ways,
one of which being that it can set up a PAG and then not get a token.  I
suspect that's your problem.

You probably want to use k5start:

    http://www.eyrie.org/~eagle/software/kstart/

Then you can replace your invocation here:

>         $PRE_CMD1 ; $PRE_CMD2
>         LANG=$HTTPD_LANG daemon $httpd $OPTIONS
>         RETVAL=$?
>         echo
>         [ $RETVAL = 0 ] && touch ${lockfile}
>         $POST_CMD
>         return $RETVAL

with:

    k5start -b -l 1d -tUf /etc/httpd/conf/http.keytab -- \
        env LANG=$HTTP_LANG $httpd $OPTIONS
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && touch ${lockfile}
    return $RETVAL

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>


On Fri, Jul 11, 2008 at 1:53 PM, TIARA System Man
<sysman@tiara.sinica.edu.tw> wrote:
> hi guys,
>
> i followed the "Distributed Services with OpenAFS" book instructions to set
> up a keytab file for web server. it worked for while in scientific linux 4.
>
> recently, i would like to reconfigure web server in scientific linux 5. but
> this time the web server can not work. i believe i did the exactly what i
> did before. following are my environment:
>
> i generated *http.lesoleil.tiara.sinica.edu.tw* a keytab.
>
> ##### set "http.lesoleil.tiara.sinica.edu.tw" in *webservers* group.
> pts membership webservers
> Members of webservers (id: -400) are:
>   http.lesoleil.tiara.sinica.edu.tw
>
> ##### grant *webservers* has "rlidwk" rights
> [root@lupus Sites]# fs listacl .
> Access list for . is
> Normal rights:
>   webservers rlidwk
>   system:backup rl
>   system:administrators rlidwka
>   xxxxx rlidwka
>
> ##### i verified *http.lesoleil.tiara.sinica.edu.tw* to access the web page
> folders. it could access through keytab.
> kinit -l 1d -k -t /etc/httpd/conf/http.keytab
> HTTP/lesoleil.tiara.sinica.edu.tw
> aklog
>
> [root@lesoleil ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/lesoleil.tiara.sinica.edu.tw@TIARA.SINICA.EDU.TW
>
> Valid starting     Expires            Service principal
> 07/11/08 12:05:32  07/12/08 12:08:56
> krbtgt/TIARA.SINICA.EDU.TW@TIARA.SINICA.EDU.TW
> 07/11/08 12:05:38  07/12/08 12:08:56  afs@TIARA.SINICA.EDU.TW
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root@lesoleil ~]# tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 402) tokens for afs@tiara.sinica.edu.tw [Expires Jul 12
> 12:08]
>    --End of list--
>
> [root@lupus Sites]# touch test
>
> BUT, i modify "/etc/rc.d/init.d/httpd" file as  following :
> (omit)
> PRE_CMD1="/usr/kerberos/bin/kinit -l 1d -k -t /etc/httpd/conf/http.keytab
> HTTP/lesoleil.tiara.sinica.edu.tw"
> PRE_CMD2="/usr/bin/aklog -d -setpag"
> POST_CMD="/usr/kerberos/bin/kdestroy"
> (omit)
> start() {
>         echo -n $"Starting $prog: "
>         check13 || exit 1
>         $PRE_CMD1 ; $PRE_CMD2
>         LANG=$HTTPD_LANG daemon $httpd $OPTIONS
>         RETVAL=$?
>         echo
>         [ $RETVAL = 0 ] && touch ${lockfile}
>         $POST_CMD
>         return $RETVAL
> }
> (omit)
>
> restart the httpd. apache could not get the tokens. it allways compains
>
> (13)Permission denied: /home/xxxxx/Sites/.htaccess pcfg_openfile: unable to
> check htaccess file, ensure it is readable
>
> i use openafs-client-1.4.7-68.SL5.x86_64 and kernel verion is
> 2.6.18-92.1.6.el5.
>
> could any one help me to debug this? thanks a million!!
>
> best, sam
>
> --
> Sam Tseng
> Academia Sinica
> Institute of Astronomy and Astrophysics
> Tel.: +886-2-33652200 ext 742
> Fax: +886-2-23677849



-- 
Sam Tseng
Academia Sinica
Institute of Astronomy and Astrophysics
Tel.: +886-2-33652200 ext 742
Fax: +886-2-23677849