<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 09/26/2012 12:21 AM, James James wrote: </div> <blockquote cite="mid:CALBJVV=C29KhJ=nGk1KH9V4kHv=J9medB4-tcRGYX2uEC55QuA@mail.gmail.com" type="cite">Hi, I don't know if this is the right place to ask this question but I will try. I have : - a freeipa server + autofs maps - a nfsv4 server - a web server from the webserver I can mount my nfs4 exported home dir. Everything works well. I want to acces to my public_html directory from the web server. From my browser, when I try to reach <a moz-do-not-send="true" href="http://myweserver/%7Euser">http://myweserver/~user</a>, I've got 403 Forbidden and the logs give me : Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 context for user with uid 48 for server <a moz-do-not-send="true" href="http://nfs-server.example.com">nfs-server.example.com</a> Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: service is '<null>' Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid 48 for server <a moz-do-not-send="true" href="http://nfs-server.example.com">nfs-server.example.com</a> Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm '<a moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>' Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' being considered, with preferred realm '<a moz-do-not-send="true" href="http://EXAMPLE.COM">EXAMPLE.COM</a>' Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 context for user with uid 48 for server <a moz-do-not-send="true" href="http://nfs-server.example.com">nfs-server.example.com</a> Apache user id is 48. Thanks for any help. James <fieldset class="mimeAttachmentHeader"></fieldset> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> Are you using nfs4 + krb5 as auth for your home directories? If so, what it's telling you is that it's unable to retreive kerberos credentials for the apache user (uid 48). I believe you have to create a user account for apache in IPA, initiate credentials for this user (and renew them when they expire), and set the KRB5CCNAME environment variable to point to the credendials cache in the startup script for httpd. A cronjob or similar would be required to keep renewing the credentials, I have not looked into this myself yet so I cannot give exact feedback for this. Make sure the IPA user account that you provide credentials for have access to read the users public_html directory and list the users home directory. Let me know how you get on. I haven't tested this myself yet but it's been on my mind. Regards, Siggi </body> </html>