[OpenAFS] Notes on how to get filedrawers minimally working with R/W AFS access on Debian (at least).

David Boyes dboyes@sinenomine.net
Thu, 28 May 2009 13:18:34 -0400


Original author: Adam Thornton (athornton (at) sinenomine.net)

This will be posted for reference in a bit (when I get around to it).=20


Notes towards getting Filedrawers working with r/w AFS access

Note that this document comes from the perspective of someone who
doesn't know anything about AFS at more than a naive user level.  It may
be the case that the extant documentation really is adequate for AFS
administrators.  It's not for me.

Lesson one: Cosign is not your friend.  I and a colleague spent a long,
long time banging our heads into cosign, getting cryptic and unhelpful
error messages, before deciding that sitewide single-sign-on was more
trouble than it was worth.  Maybe I'll get back to it someday, but it
was actively anti-helpful for me.

Lesson two: there is one useful document.  It is hard to find with
Google.  Its name is "How not to get burned with Filedrawers and AFS,"
and it is by Simon Wilkinson.  It is at

http://workshop.openafs.org/afsbpw08/talks/wed_3/Filedrawers.pdf

This document *is* your friend.  It is your bestest friend.  It needs
better publicity than it gets.

So, we started with a Debian Lenny host.  This may not have been ideal,
but it's what we were running.  We're using Apache 2.  No, going back to
Apache 1.3 for easier waklog integration wasn't really a possibility.

The first thing to do is to set up an Apache virtual host on ports 80
and 443 and arrange it so port 80 redirects to the https host at 443.
This is (unlike Filedrawers integration) well-documented on The
Internets.  Do whatever your site does with SSL certificates to protect
it.=20

Next, you're going to need mod_auth_kerb.  Debian has this:
libapache2-mod-auth-kerb.  Then you're going to need a keytab that will
let the web server user (www-data in Debian-world) have read access to
your AFS installation.  Wilkinson's document tells exactly how to
generate it, viz:

kadmin -q 'ank -randkey HTTP/fqdn.of.server'=20
kadmin -q 'ktadd -k /etc/httpd.keytab HTTP/fqdn.of.server'

And then=20

chown www-data /etc/httpd.keytab
chmod 400 /etc/httpd.keytab

Wilkinson also tells us pretty how to set up auth_kerb_module:

<Location />=20
AuthName "Filedrawers"
AuthType Kerberos=20
KrbMethodNegotiate off=20
KrbMethodK5Passwd on=20
KrbSaveCredentials on=20
Krb5Keytab /etc/httpd.keytab=20
KrbAuthRealms YOUR.REALM
KrbServiceName HTTP/fqdn.of.server
require valid-user=20
</Location>=20

Here, I deviated from Wilkinson's slides a bit.  His next step is
setting up mod_waklog, but I went ahead and did filedrawers.  Without
mod_waklog, you get a read-only browsing front end to AFS, but that was
(for me, anyway) a useful intermediate step to have.

A bit of googling reveals that Adam Megacz has actually done a Debian
package of filedrawers.  This saves some time:

/afs/hcoop.net/user/m/me/megacz/public/filedrawers/

This installs fine with the prereqs of php5, smarty, and php5-fileinfo.
There might be others.  If there were they were already on my machine,
though.

Copy the configuration in /usr/share/doc/filedrawers into your apache
vhost config and restart Apache.  At this point you have something that
is a read-only AFS web front end.

Next comes adding mod_waklog.  It's this step that's very, very poorly
documented.

(Google, at this point, bless its little heart, helpfully suggests: "Did
you mean to search for: afs file drawers wanklog")=20

First: download the SVN version of mod_waklog.

svn co https://modwaklog.svn.sourceforge.net/svnroot/modwaklog modwaklog

And then just build it.

Ha.

So, it turns out that Adam Megacz expects you to still have Apache 1
installed in order to build the damn thing.  Well, if you're running a
Lenny system, this is a little problematic.  There ain't no such thing
as apache-dev anymore.  The waklog mailing list also suggests that
building 64-bit can be problematic; I don't know about that since I
built on a 32-bit host.

You can do what I did, and spend a lot of time screwing around with the
Debian build-rules trying to make it work, or you can do what I
*EVENTUALLY* did, and just run make and then copy, by hand,
.libs/mod_waklog.so into your Apache modules directory. =20

Note that I did let debian/rules do the heavy lifting, and even that
took some changes:=20

	./configure \
	  --with-afs-libs=3D/usr/lib/afs \
	  --with-afs-headers=3D/usr/include/afs \
	  --with-apxs=3D/usr/bin/apxs2

I also commented out libapache-mod-waklog in debian/control, and removed
the apache-dev dependency.  This still isn't enough to get a dpkg built,
though.=20

At any rate, despite a dire warning about the non-portability of the
compiled object file, you do end up with .libs/mod_waklog.so ready to
copy to the Apache module directory.

Once you've done that, you just edit the Apache configuration as shown
in Wilkinson: Load the waklog module and set WaklogAfsCell:

LoadModule waklog_module       /usr/lib/apache2/modules/mod_waklog.so
WaklogAfsCell		       your.cell

And then, inside the Vhost definition, add the following at the bottom:

WaklogEnabled                   On=20
WaklogUseUserTokens             On=20

The next thing to do is to fix the missing homedir problem and
de-uMichify the filedrawers PHP.  This is documented in Wilkinson, but
skip all the Smarty configuration stuff (that's already been done in the
dpkg for filedrawers).

So in libdrawers.php, you need to fix GetHomeDir() by adding:

$name=3Dpreg_replace("/@YOUR_REALM/","", $name);=20

Fix $afsBase in libdrawers.php:=20

$afsBase          =3D '/afs/your.cell/user/';

At this point, you have a working Filedrawers installation, sort of.
Now you just want it to not look like University of Michigan's.  I just
deleted the menubar from the banner (in smarty/templates/banner.tpl) and
substituted my site's primary web URL for the umich URLs, but obviously
a lot more and much better customization could be done here. =20

Nevertheless, this gets you to a point where users can log in to your
AFS cell, and upload and retrieve files via a web browser.  Safari and
Firefox work fine.  How well other browsers do is unknown to me at this
point.