Hcoop Software

Below is the software I have developed, modified, or maintained for HCoop.


I am a committer on the mod_waklog sourceforge project (possibly the only active one). Mostly I fuse together the enhancements from the various branches of it that people keep forking.

More recently I wrote up a patch that eliminates the need for WaklogDefaultPrincipal to work around an assumption in Apache's request processing. I also got mod_waklog to use the delete-after-close trick on the files it creates in /tmp.


The libnss-afs library is an NSS plugin which answers these queries using the information stored in the AFS ptserver, avoiding the need to duplicate (and update) this information in /etc/passwd or LDAP. The library also synthesizes the name AfsPag-XXXX for the fake group ids that are used to represent AFS PAGs.

More information is here.

debianized filedrawers

I have created a debian package for filedrawers. This package includes the following changes:

  • Proper dependency information

  • A corrected path to Smarty.class

  • A postinst script to set the owner/group of /usr/share/filedrawers/ to www-data

  • A patch to use the environment AFS_CELL if available; otherwise it falls back to the previous fs wscell behavior. This works nicely with the Apache SetEnv directive.

The debian package can be found here:


kadmin DNS SRV support

All of the MIT Kerberos tools except kadmin support reading their configuration from DNS via SRV records. I have written a patch to libkadm5 which adds this ability to kadmin as well. Here is the request tracker issue (login:guest password:pass) to have it included in the main distribution. Here is why it still hasn't been included in the latest release.

Incremental AFS Backup Script

I've written a script that does byte-level incremental backups of AFS volumes by way of xdelta3


An earlier (pre-incremental) version of this script is currently in use at HCoop. The incremental script above has been running successfully on megacz.com since 23-Jan-2008.


Not really software, but I wrote the first version of SetupNewMachines, which – last time I checked – was the only comprehensive guide out there explaining how to set up an AFS client machine with all the PAM+NSS+SSH bells and whistles.

Future Plans

  • Produce some sort of daemon-launching-and-monitoring solution for users that handles tokens for them. Sort of like “runit for users, and AFS-aware”.


  • A modification for the Kerberos KDC to let sshd obtain a TGT using proof that the connecting client possesses the appropriate ssh private key. This would put an end to member complaints about the fact that hey can't use ssh public keys at HCoop. I have some notes on how this could be done