[Christopher Lindsey]

Now for the tricky part. AFS doesn't use standard UNIX permissions, but instead depends on ACLs (ours uses Kerberos V for authentication). To be able to write into the AFS space, any program or shell must have a valid AFS token.

I can do this by creating a "keytab" file; basically, that randomizes the password but lets me use it in shell scripts, etc. I just need to kinit against this file, do my operations, then do a kdestroy.

Now for my questions:

o where should I put these calls? I'm guessing that they should be in wrapper, but do I also need to put it into every binary in $prefix/cgi-bin? It appears that way...

Both the wrapper and all the cgi-bin/* binaries use run_script() from src/common.c for exec()ing the python script that does the job. Off the top of my head, I can't think of anything that needs write access before run_script() is called.

o am I going to run into any locking issues with multiple email and Web servers, or does mailman handle this?

If Mailmans mailingliste locking scheme works on AFS, I don't think there should be any problems.

 If so, how?

See the MailList.Lock() and .Unlock() methods -- they currently use posixfile.lock().

 AFS (like NFS) often has problems with flock() or fcntl()
 locking (so dot-locking is the preferred method).

Changing Lock() and Unlock() should be pretty straightforward.

o does mailman actually do any permissions checking on files or directories? These checks would fail in AFS

Grepping the sources for ST_MODE told me of at least one place -- OutGoingQueue.isDeferred() works by checking the setuid bit of the queue file. If I remember my AFS correctly, there is no SUID bit -- so you'd need to change .enqueueMessage, .isDeferred and .deferMessage() to use some other scheme.

Any pointers and/or answers would be appreciated.

Good luck, and let us know how things work out!

Harald