<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 09/26/2012 12:21 AM, James James
wrote:<br>
</div>
<blockquote
cite="mid:CALBJVV=C29KhJ=nGk1KH9V4kHv=J9medB4-tcRGYX2uEC55QuA@mail.gmail.com"
type="cite">Hi, I don't know if this is the right place to ask
this question but I will try.<br>
<br>
I have :<br>
<br>
- a freeipa server + autofs maps<br>
- a nfsv4 server <br>
- a web server<br>
<br>
from the webserver I can mount my nfs4 exported home dir.
Everything works well. <br>
<br>
I want to acces to my public_html directory from the web server.
From my browser, when I try to reach <a moz-do-not-send="true"
href="http://myweserver/%7Euser">http://myweserver/~user</a>,
I've got 403 Forbidden and the logs give me : <br>
<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to
create krb5 context for user with uid 48 for server <a
moz-do-not-send="true" href="http://nfs-server.example.com">nfs-server.example.com</a><br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall:
'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 '<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall:
service is '<null>'<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for
client with uid 48 for server <a moz-do-not-send="true"
href="http://nfs-server.example.com">nfs-server.example.com</a><br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred
realm '<a moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>'<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
being considered, with preferred realm '<a moz-do-not-send="true"
href="http://EXAMPLE.COM">EXAMPLE.COM</a>'<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
owned by 0, not 48<br>
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to
create krb5 context for user with uid 48 for server <a
moz-do-not-send="true" href="http://nfs-server.example.com">nfs-server.example.com</a><br>
<br>
<br>
Apache user id is 48.<br>
<br>
Thanks for any help.<br>
<br>
James<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
Are you using nfs4 + krb5 as auth for your home directories?<br>
<br>
If so, what it's telling you is that it's unable to retreive
kerberos credentials for the apache user (uid 48). I believe you
have to create a user account for apache in IPA, initiate
credentials for this user (and renew them when they expire), and set
the KRB5CCNAME environment variable to point to the credendials
cache in the startup script for httpd. A cronjob or similar would be
required to keep renewing the credentials, I have not looked into
this myself yet so I cannot give exact feedback for this.<br>
<br>
Make sure the IPA user account that you provide credentials for have
access to read the users public_html directory and list the users
home directory.<br>
<br>
Let me know how you get on. I haven't tested this myself yet but
it's been on my mind.<br>
<br>
<br>
Regards,<br>
Siggi<br>
<br>
</body>
</html>