[OpenAFS] Setting up Filedrawers/mod_auth_kerb/mod_waklog on Debian Lenny
Adam Thornton
athornton@sinenomine.net
Tue, 26 May 2009 10:17:55 -0500
Notes towards getting Filedrawers working with r/w AFS access
Note that this document comes from the perspective of someone who
doesn't know anything about AFS at more than a naive user level. It
may be the case that the extant documentation really is adequate for
AFS administrators. It's not for me.
Lesson one: Cosign is not your friend. I and a colleague spent a
long, long time banging our heads into cosign, getting cryptic and
unhelpful error messages, before deciding that sitewide single-sign-on
was more trouble than it was worth. Maybe I'll get back to it
someday, but it was actively anti-helpful for me.
Lesson two: there is one useful document. It is surprisingly hard to
find with Google. Its name is "How not to get burned with Filedrawers
and AFS," and it is by Simon Wilkinson. It is at
http://workshop.openafs.org/afsbpw08/talks/wed_3/Filedrawers.pdf
This document *is* your friend. It is your bestest friend. It needs
better publicity than it gets.
So, we started with a Debian Lenny host. This may not have been
ideal, but it's what we were running. We're using Apache 2. No,
going back to Apache 1.3 for easier waklog integration wasn't really a
possibility.
The first thing to do is to set up an Apache virtual host on ports 80
and 443 and arrange it so port 80 redirects to the https host at 443.
This is (unlike Filedrawers integration) well-documented on The
Internets. Do whatever your site does with SSL certificates to
protect it.
Next, you're going to need mod_auth_kerb. Debian has this: libapache2-
mod-auth-kerb. Then you're going to need a keytab that will let the
web server user (www-data in Debian-world) have read access to your
AFS installation. Wilkinson's document tells exactly how to generate
it, viz:
kadmin -q 'ank -randkey HTTP/fqdn.of.server'
kadmin -q 'ktadd -k /etc/httpd.keytab HTTP/fqdn.of.server'
And then
chown www-data /etc/httpd.keytab
chmod 400 /etc/httpd.keytab
Wilkinson also tells us pretty much how to set up auth_kerb_module:
<Location />
AuthName "Filedrawers"
AuthType Kerberos
KrbMethodNegotiate off
KrbMethodK5Passwd on
KrbSaveCredentials on
Krb5Keytab /etc/httpd.keytab
KrbAuthRealms YOUR.REALM
KrbServiceName HTTP/fqdn.of.server
require valid-user
</Location>
Here, I deviated from Wilkinson's slides a bit. I skipped (for now)
all the stuff about being clever with SPNEGO and blithely ignored
canonicalization problems. His next step is setting up mod_waklog,
but I went ahead and did filedrawers next. Without mod_waklog, you
get a read-only browsing front end to AFS, but that was
(for me, anyway) a useful intermediate step to have.
A bit of googling reveals that Adam Megacz has actually done a Debian
package of filedrawers. This saves some time:
/afs/hcoop.net/user/m/me/megacz/public/filedrawers/
This installs fine with the prereqs of php5, smarty, dh-make-php, php5-
dev, and php5-fileinfo. There might be others but if there were they
were automatically pulled in or I already had them on the machine.
Copy the configuration in /usr/share/doc/filedrawers into your apache
vhost config and restart Apache. At this point you have something
that is a read-only AFS web front end.
Next comes adding mod_waklog. It's this step that's very, very poorly
documented.
(Google, at this point, bless its little heart, helpfully suggests:
"Did you mean to search for: afs file drawers wanklog")
First: download the SVN version of mod_waklog.
svn co https://modwaklog.svn.sourceforge.net/svnroot/modwaklog modwaklog
And then just build it.
Ha.
So, it turns out that Adam Megacz expects you to still have Apache 1
installed in order to build the damn thing. Well, if you're running a
Lenny system, this is a little problematic. There ain't no such thing
as apache-dev anymore. The waklog mailing list also suggests that
building 64-bit can be problematic; I don't know about that since I
built on a 32-bit host.
You can do what I did, and spend a lot of time screwing around with
the Debian build-rules trying to make it work, or you can do what I
*EVENTUALLY* did, and just run make and then copy, by hand, .libs/
mod_waklog.so into your Apache modules directory.
Note that I did let debian/rules do the heavy lifting, and even that
took some changes:
./configure \
--with-afs-libs=/usr/lib/afs \
--with-afs-headers=/usr/include/afs \
--with-apxs=/usr/bin/apxs2
I also commented out libapache-mod-waklog in debian/control, and
removed the apache-dev dependency. This still isn't enough to get a
dpkg built, though.
At any rate, despite a dire warning about the non-portability of the
compiled object file, you do end up with .libs/mod_waklog.so ready to
copy to the Apache module directory.
Once you've done that, you just edit the Apache configuration as shown
in Wilkinson: Load the waklog module and set WaklogAfsCell:
LoadModule waklog_module /usr/lib/apache2/modules/mod_waklog.so
WaklogAfsCell your.cell
And then, inside the Vhost definition, add the following at the bottom:
WaklogEnabled On
WaklogUseUserTokens On
The next thing to do is to fix the missing homedir problem and de-
uMichify the filedrawers PHP. This is documented in Wilkinson, but
skip all the Smarty configuration stuff (that's already been done in the
dpkg for filedrawers).
So in libdrawers.php, you need to fix GetHomeDir() by adding:
$name=preg_replace("/@YOUR_REALM/","", $name);
Fix $afsBase in libdrawers.php:
$afsBase = '/afs/your.cell/user/';
At this point, you have a working Filedrawers installation, sort of.
Now you just want it to not look like University of Michigan's. I
just deleted the menubar from the banner (in smarty/templates/
banner.tpl) and substituted my site's primary web URL for the umich
URLs, but obviously a lot more and much better customization could be
done here.
Nevertheless, this gets you to a point where users can log in to your
AFS cell, and upload and retrieve files via a web browser. Safari and
Firefox work fine. How well other browsers do is unknown to me at
this point.
I hope this helps other people avoid some of the pain I encountered
along the way.
Adam