Open OnDemand and AFS

Hi, David.
I recommend you do an initial check to test the configuration of apache/mod_auth_gssapi/mod_waklog.
To this end I use a check.cgi in the bin-cgi directory

#!/usr/bin/sh
echo Content-type: text/plain
echo
/usr/bin/klist -f
echo
tokens
echo “KRB5CCNAME=$KRB5CCNAME”

The output of the test is:

Ticket cache: FILE:/var/run/httpd/clientcaches/lbuccip@ENEA.IT
Default principal: lbuccip@ENEA.IT

Valid starting Expires Service principal
12/11/23 21:23:37 01/10/24 21:23:37 krbtgt/ENEA.IT@ENEA.IT
Flags: FfT

Tokens held by the Cache Manager:

User’s (AFS ID 27794) rxkad tokens for enea.it [Expires Jan 10 10:41]
–End of list–
KRB5CCNAME=FILE:/var/run/httpd/clientcaches/lbuccip@ENEA.IT

Great suggestion Luigi. Thank you! I’ll get right on that.

No token. Now to figure out why.

Ticket cache: FILE:/var/run/httpd/clientcaches/dbarstis@CRC.ND.EDU
Default principal: dbarstis@CRC.ND.EDU

Valid starting Expires Service principal
12/12/23 10:57:06 01/11/24 10:57:06 krbtgt/CRC.ND.EDU@CRC.ND.EDU
Flags: FfT

Tokens held by the Cache Manager:

–End of list–
“KRB5CCNAME=FILE:/var/run/httpd/clientcaches/dbarstis@CRC.ND.EDU”

When I ssh in with my user id and run klist, I get a second service principal.

Default principal: dbarstis@CRC.ND.EDU

Valid starting Expires Service principal
12/12/2023 14:35:38 01/11/2024 14:35:38 krbtgt/CRC.ND.EDU@CRC.ND.EDU
12/12/2023 14:35:38 01/11/2024 14:35:38 afs/crc.nd.edu@CRC.ND.EDU

Am I heading down the right path?

I assume you included the same directives (related to mod_auth_gssapi and mod_waklog) in the httpd.conf file!

I did. I believe the afs/crc.nd.edu@CRC.ND.EDU principal is related to pam and does apply here.
I’m starting over to see if I missed a step.