Original author: Adam Thornton (athornton (at) sinenomine.net) This will be posted for reference in a bit (when I get around to it).
Notes towards getting Filedrawers working with r/w AFS access Note that this document comes from the perspective of someone who doesn't know anything about AFS at more than a naive user level. It may be the case that the extant documentation really is adequate for AFS administrators. It's not for me. Lesson one: Cosign is not your friend. I and a colleague spent a long, long time banging our heads into cosign, getting cryptic and unhelpful error messages, before deciding that sitewide single-sign-on was more trouble than it was worth. Maybe I'll get back to it someday, but it was actively anti-helpful for me. Lesson two: there is one useful document. It is hard to find with Google. Its name is "How not to get burned with Filedrawers and AFS," and it is by Simon Wilkinson. It is at http://workshop.openafs.org/afsbpw08/talks/wed_3/Filedrawers.pdf This document *is* your friend. It is your bestest friend. It needs better publicity than it gets. So, we started with a Debian Lenny host. This may not have been ideal, but it's what we were running. We're using Apache 2. No, going back to Apache 1.3 for easier waklog integration wasn't really a possibility. The first thing to do is to set up an Apache virtual host on ports 80 and 443 and arrange it so port 80 redirects to the https host at 443. This is (unlike Filedrawers integration) well-documented on The Internets. Do whatever your site does with SSL certificates to protect it. Next, you're going to need mod_auth_kerb. Debian has this: libapache2-mod-auth-kerb. Then you're going to need a keytab that will let the web server user (www-data in Debian-world) have read access to your AFS installation. Wilkinson's document tells exactly how to generate it, viz: kadmin -q 'ank -randkey HTTP/fqdn.of.server' kadmin -q 'ktadd -k /etc/httpd.keytab HTTP/fqdn.of.server' And then chown www-data /etc/httpd.keytab chmod 400 /etc/httpd.keytab Wilkinson also tells us pretty how to set up auth_kerb_module: <Location /> AuthName "Filedrawers" AuthType Kerberos KrbMethodNegotiate off KrbMethodK5Passwd on KrbSaveCredentials on Krb5Keytab /etc/httpd.keytab KrbAuthRealms YOUR.REALM KrbServiceName HTTP/fqdn.of.server require valid-user </Location> Here, I deviated from Wilkinson's slides a bit. His next step is setting up mod_waklog, but I went ahead and did filedrawers. Without mod_waklog, you get a read-only browsing front end to AFS, but that was (for me, anyway) a useful intermediate step to have. A bit of googling reveals that Adam Megacz has actually done a Debian package of filedrawers. This saves some time: /afs/hcoop.net/user/m/me/megacz/public/filedrawers/ This installs fine with the prereqs of php5, smarty, and php5-fileinfo. There might be others. If there were they were already on my machine, though. Copy the configuration in /usr/share/doc/filedrawers into your apache vhost config and restart Apache. At this point you have something that is a read-only AFS web front end. Next comes adding mod_waklog. It's this step that's very, very poorly documented. (Google, at this point, bless its little heart, helpfully suggests: "Did you mean to search for: afs file drawers wanklog") First: download the SVN version of mod_waklog. svn co https://modwaklog.svn.sourceforge.net/svnroot/modwaklog modwaklog And then just build it. Ha. So, it turns out that Adam Megacz expects you to still have Apache 1 installed in order to build the damn thing. Well, if you're running a Lenny system, this is a little problematic. There ain't no such thing as apache-dev anymore. The waklog mailing list also suggests that building 64-bit can be problematic; I don't know about that since I built on a 32-bit host. You can do what I did, and spend a lot of time screwing around with the Debian build-rules trying to make it work, or you can do what I *EVENTUALLY* did, and just run make and then copy, by hand, .libs/mod_waklog.so into your Apache modules directory. Note that I did let debian/rules do the heavy lifting, and even that took some changes: ./configure \ --with-afs-libs=/usr/lib/afs \ --with-afs-headers=/usr/include/afs \ --with-apxs=/usr/bin/apxs2 I also commented out libapache-mod-waklog in debian/control, and removed the apache-dev dependency. This still isn't enough to get a dpkg built, though. At any rate, despite a dire warning about the non-portability of the compiled object file, you do end up with .libs/mod_waklog.so ready to copy to the Apache module directory. Once you've done that, you just edit the Apache configuration as shown in Wilkinson: Load the waklog module and set WaklogAfsCell: LoadModule waklog_module /usr/lib/apache2/modules/mod_waklog.so WaklogAfsCell your.cell And then, inside the Vhost definition, add the following at the bottom: WaklogEnabled On WaklogUseUserTokens On The next thing to do is to fix the missing homedir problem and de-uMichify the filedrawers PHP. This is documented in Wilkinson, but skip all the Smarty configuration stuff (that's already been done in the dpkg for filedrawers). So in libdrawers.php, you need to fix GetHomeDir() by adding: $name=preg_replace("/@YOUR_REALM/","", $name); Fix $afsBase in libdrawers.php: $afsBase = '/afs/your.cell/user/'; At this point, you have a working Filedrawers installation, sort of. Now you just want it to not look like University of Michigan's. I just deleted the menubar from the banner (in smarty/templates/banner.tpl) and substituted my site's primary web URL for the umich URLs, but obviously a lot more and much better customization could be done here. Nevertheless, this gets you to a point where users can log in to your AFS cell, and upload and retrieve files via a web browser. Safari and Firefox work fine. How well other browsers do is unknown to me at this point. _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info