Re: [OpenAFS] httpd -setpag problems?!

2008-07-10 Thread Russ Allbery 
"TIARA System Man" <[EMAIL PROTECTED]> writes:

> BUT, i modify "/etc/rc.d/init.d/httpd" file as  following :
> (omit)
> PRE_CMD1="/usr/kerberos/bin/kinit -l 1d -k -t /etc/httpd/conf/http.keytab
> HTTP/lesoleil.tiara.sinica.edu.tw"
> PRE_CMD2="/usr/bin/aklog -d -setpag"
> POST_CMD="/usr/kerberos/bin/kdestroy"

aklog -setpag doesn't work with modern kernels in various different ways,
one of which being that it can set up a PAG and then not get a token.  I
suspect that's your problem.

You probably want to use k5start:

http://www.eyrie.org/~eagle/software/kstart/

Then you can replace your invocation here:

> $PRE_CMD1 ; $PRE_CMD2
> LANG=$HTTPD_LANG daemon $httpd $OPTIONS
> RETVAL=$?
> echo
> [ $RETVAL = 0 ] && touch ${lockfile}
> $POST_CMD
> return $RETVAL

with:

k5start -b -l 1d -tUf /etc/httpd/conf/http.keytab -- \
env LANG=$HTTP_LANG $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL

-- 
Russ Allbery ([EMAIL PROTECTED]) 
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] httpd -setpag problems?!

2008-07-10 Thread TIARA System Man 
hi guys,

i followed the "Distributed Services with OpenAFS" book instructions to set
up a keytab file for web server. it worked for while in scientific linux 4.

recently, i would like to reconfigure web server in scientific linux 5. but
this time the web server can not work. i believe i did the exactly what i
did before. following are my environment:

i generated *http.lesoleil.tiara.sinica.edu.tw* a keytab.

# set "http.lesoleil.tiara.sinica.edu.tw" in *webservers* group.
pts membership webservers
Members of webservers (id: -400) are:
  http.lesoleil.tiara.sinica.edu.tw

# grant *webservers* has "rlidwk" rights
[EMAIL PROTECTED] Sites]# fs listacl .
Access list for . is
Normal rights:
  webservers rlidwk
  system:backup rl
  system:administrators rlidwka
  x rlidwka

# i verified *http.lesoleil.tiara.sinica.edu.tw* to access the web page
folders. it could access through keytab.
kinit -l 1d -k -t /etc/httpd/conf/http.keytab HTTP/
lesoleil.tiara.sinica.edu.tw
aklog

[EMAIL PROTECTED] ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[EMAIL PROTECTED]

Valid starting ExpiresService principal
07/11/08 12:05:32  07/12/08 12:08:56  krbtgt/TIARA.SINICA.EDU.TW@
TIARA.SINICA.EDU.TW
07/11/08 12:05:38  07/12/08 12:08:56  [EMAIL PROTECTED]

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] ~]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 402) tokens for [EMAIL PROTECTED] [Expires Jul 12
12:08]
   --End of list--

[EMAIL PROTECTED] Sites]# touch test

BUT, i modify "/etc/rc.d/init.d/httpd" file as  following :
(omit)
PRE_CMD1="/usr/kerberos/bin/kinit -l 1d -k -t /etc/httpd/conf/http.keytab
HTTP/lesoleil.tiara.sinica.edu.tw"
PRE_CMD2="/usr/bin/aklog -d -setpag"
POST_CMD="/usr/kerberos/bin/kdestroy"
(omit)
start() {
echo -n $"Starting $prog: "
check13 || exit 1
$PRE_CMD1 ; $PRE_CMD2
LANG=$HTTPD_LANG daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
$POST_CMD
return $RETVAL
}
(omit)

restart the httpd. apache could not get the tokens. it allways compains

(13)Permission denied: /home/x/Sites/.htaccess pcfg_openfile: unable to
check htaccess file, ensure it is readable

i use openafs-client-1.4.7-68.SL5.x86_64 and kernel verion is
2.6.18-92.1.6.el5.

could any one help me to debug this? thanks a million!!

best, sam

-- 
Sam Tseng
Academia Sinica
Institute of Astronomy and Astrophysics
Tel.: +886-2-33652200 ext 742
Fax: +886-2-23677849