Thursday, May 10, 2007

I'd like to get Apache 2 to access files on my AFS file system. Ideally both when no user is authenticated, and with user's credentials when a user has authenticated via Kerberos 5.

I have authentication via Kerberos 5 working with the auth_kerb_module (mod_auth_kerb.so).

I can't quite wrap my head around how ticket caches and afs PAGs (Process Authentication Groups) work.

Here's a writeup on PAGs and web server authentication.

Questions: How are PAGs related to the actual credentials? By the KRB5CCNAME environment variable? (I'm running the Heimdal Kerberos implementation).

Ideally the auth_kerb_module could for each access make sure the apache process/thread has tokens/PAG for either the authenticated user or the www kerberos/afs user.

In theory the mod would do k_hasafs to intialize library, k_setpag() to create a new (empty) PAG, get the proper kerberos 5 credentials (either for the user or Apache's srvtab), convert them to afs tickets with krb5_afslog, perform the request, and then after the request destroy the pag with k_unlog.

More to come (I hope)...

No comments: