[OpenAFS] Apache2 and OpenAFS

[Harald Barth]

We run our web server authenticated from a keytab. The keytab contains

# /usr/heimdal/sbin/ktutil --keytab=/etc/krb5.keytab.web-daemon list
Vno  Type                     Principal
  0  des3-cbc-sha1            web-daemon/scat.pdc.kth.se@NADA.KTH.SE
  0  aes128-cts-hmac-sha1-96  web-daemon/scat.pdc.kth.se@NADA.KTH.SE
  0  arcfour-hmac-md5         web-daemon/scat.pdc.kth.se@NADA.KTH.SE

Then the webserver is started with heimdal kinit (which does all the
pagsh and renew magic) with that keytab:

# ps auxgwww | grep kinit
root     31751  0.0  0.0  39880  2100 ?        S    Jul04   0:04 /usr/heimdal/bin/kinit --no-forward --no-renew --keytab=/etc/krb5.keytab.web-daemon --afslog web-daemon/scat.pdc.kth.se@NADA.KTH.SE /usr/sbin/httpd -DNO_DETACH -D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D CACHE -D MEM_CACHE -D DAV -D STATUS -D AUTH_DIGEST -D PROXY -D USERDIR -D REWRITE -k start

The web-daemon/scat.pdc.kth.se@NADA.KTH.SE principal maps to this PTS
identity (due to historical reasons the "/" is replaced with a "." in
the OpenAFS pts to pricipal naming mapping, there are folks on this
list who happen to know exactly why)

$ pts exa web-daemon.scat.pdc.kth.se -c pdc.kth.se
Name: web-daemon.scat.pdc.kth.se, id: 65531, owner: system:administrators, creator: haba.admin,
  membership: 4, flags: S----, group quota: 20.

Then all web-daemons.x.y.z are member in this group:

$ pts mem web-daemons  -c pdc.kth.se
Members of web-daemons (id: -32225) are:
  web-daemon.wrasse.pdc.kth.se
  web-daemon.schelly.pdc.kth.se
  web-daemon.scat.pdc.kth.se

Then you give web-daemons the appropriate permissions in the file system.

Harald.