[OpenAFS] Setting up Filedrawers/mod_auth_kerb/mod_waklog on Debian Lenny

Adam Thornton athornton@sinenomine.net
Tue, 26 May 2009 10:17:55 -0500

Notes towards getting Filedrawers working with r/w AFS access

Note that this document comes from the perspective of someone who  
doesn't know anything about AFS at more than a naive user level.  It  
may be the case that the extant documentation really is adequate for  
AFS administrators.  It's not for me.

Lesson one: Cosign is not your friend.  I and a colleague spent a  
long, long time banging our heads into cosign, getting cryptic and  
unhelpful error messages, before deciding that sitewide single-sign-on  
was more trouble than it was worth.  Maybe I'll get back to it  
someday, but it was actively anti-helpful for me.

Lesson two: there is one useful document.  It is surprisingly hard to  
find with Google.  Its name is "How not to get burned with Filedrawers  
and AFS," and it is by Simon Wilkinson.  It is at


This document *is* your friend.  It is your bestest friend.  It needs  
better publicity than it gets.

So, we started with a Debian Lenny host.  This may not have been  
ideal, but it's what we were running.  We're using Apache 2.  No,  
going back to Apache 1.3 for easier waklog integration wasn't really a  

The first thing to do is to set up an Apache virtual host on ports 80  
and 443 and arrange it so port 80 redirects to the https host at 443.   
This is (unlike Filedrawers integration) well-documented on The  
Internets.  Do whatever your site does with SSL certificates to  
protect it.

Next, you're going to need mod_auth_kerb.  Debian has this: libapache2- 
mod-auth-kerb.  Then you're going to need a keytab that will let the  
web server user (www-data in Debian-world) have read access to your  
AFS installation.  Wilkinson's document tells exactly how to generate  
it, viz:

kadmin -q 'ank -randkey HTTP/fqdn.of.server'
kadmin -q 'ktadd -k /etc/httpd.keytab HTTP/fqdn.of.server'

And then

chown www-data /etc/httpd.keytab
chmod 400 /etc/httpd.keytab

Wilkinson also tells us pretty much how to set up auth_kerb_module:

<Location />
AuthName "Filedrawers"
AuthType Kerberos
KrbMethodNegotiate off
KrbMethodK5Passwd on
KrbSaveCredentials on
Krb5Keytab /etc/httpd.keytab
KrbAuthRealms YOUR.REALM
KrbServiceName HTTP/fqdn.of.server
require valid-user

Here, I deviated from Wilkinson's slides a bit.  I skipped (for now)  
all the stuff about being clever with SPNEGO and blithely ignored  
canonicalization problems.   His next step is setting up mod_waklog,  
but I went ahead and did filedrawers next.  Without mod_waklog, you  
get a read-only browsing front end to AFS, but that was
(for me, anyway) a useful intermediate step to have.

A bit of googling reveals that Adam Megacz has actually done a Debian  
package of filedrawers.  This saves some time:


This installs fine with the prereqs of php5, smarty, dh-make-php, php5- 
dev, and php5-fileinfo.  There might be others but if there were they  
were automatically pulled in or I already had them on the machine.

Copy the configuration in /usr/share/doc/filedrawers into your apache  
vhost config and restart Apache.  At this point you have something  
that is a read-only AFS web front end.

Next comes adding mod_waklog.  It's this step that's very, very poorly  

(Google, at this point, bless its little heart, helpfully suggests:  
"Did you mean to search for: afs file drawers wanklog")

First: download the SVN version of mod_waklog.

svn co https://modwaklog.svn.sourceforge.net/svnroot/modwaklog modwaklog

And then just build it.


So, it turns out that Adam Megacz expects you to still have Apache 1  
installed in order to build the damn thing.  Well, if you're running a  
Lenny system, this is a little problematic.  There ain't no such thing  
as apache-dev anymore.  The waklog mailing list also suggests that  
building 64-bit can be problematic; I don't know about that since I  
built on a 32-bit host.

You can do what I did, and spend a lot of time screwing around with  
the Debian build-rules trying to make it work, or you can do what I  
*EVENTUALLY* did, and just run make and then copy, by hand, .libs/ 
mod_waklog.so into your Apache modules directory.

Note that I did let debian/rules do the heavy lifting, and even that  
took some changes:

	./configure \
	  --with-afs-libs=/usr/lib/afs \
	  --with-afs-headers=/usr/include/afs \

I also commented out libapache-mod-waklog in debian/control, and  
removed the apache-dev dependency.  This still isn't enough to get a  
dpkg built, though.

At any rate, despite a dire warning about the non-portability of the  
compiled object file, you do end up with .libs/mod_waklog.so ready to  
copy to the Apache module directory.

Once you've done that, you just edit the Apache configuration as shown  
in Wilkinson: Load the waklog module and set WaklogAfsCell:

LoadModule waklog_module       /usr/lib/apache2/modules/mod_waklog.so
WaklogAfsCell		       your.cell

And then, inside the Vhost definition, add the following at the bottom:

WaklogEnabled                   On
WaklogUseUserTokens             On

The next thing to do is to fix the missing homedir problem and de- 
uMichify the filedrawers PHP.  This is documented in Wilkinson, but  
skip all the Smarty configuration stuff (that's already been done in the
dpkg for filedrawers).

So in libdrawers.php, you need to fix GetHomeDir() by adding:

$name=preg_replace("/@YOUR_REALM/","", $name);

Fix $afsBase in libdrawers.php:

$afsBase          = '/afs/your.cell/user/';

At this point, you have a working Filedrawers installation, sort of.   
Now you just want it to not look like University of Michigan's.  I  
just deleted the menubar from the banner (in smarty/templates/ 
banner.tpl) and substituted my site's primary web URL for the umich  
URLs, but obviously a lot more and much better customization could be  
done here.

Nevertheless, this gets you to a point where users can log in to your  
AFS cell, and upload and retrieve files via a web browser.  Safari and  
Firefox work fine.  How well other browsers do is unknown to me at  
this point.

I hope this helps other people avoid some of the pain I encountered  
along the way.