Thanks I'll try that and will give you a feedback as soon as possible. <div class="gmail_quote">2012/9/26 Anthony Messina <<a href="mailto:amessina@messinet.com" target="_blank">amessina@messinet.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Wednesday, September 26, 2012 12:21:14 AM James James wrote: > I have : > > - a freeipa server + autofs maps > - a nfsv4 server > - a web server > > from the webserver I can mount my nfs4 exported home dir. Everything works > well. > > I want to acces to my public_html directory from the web server. From my > browser, when I try to reach <a href="http://myweserver/~user" target="_blank">http://myweserver/~user</a>, I've got 403 > Forbidden and the logs give me : > > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > context for user with uid 48 for server <a href="http://nfs-server.example.com" target="_blank">nfs-server.example.com</a> Sep 25 > 23:18:21 web-server rpc.gssd[4522]: doing error downcall > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server > rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48 > enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]: > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 > web-server rpc.gssd[4522]: process_krb5_upcall: service is '<null>' Sep 25 > 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid > 48 for server <a href="http://nfs-server.example.com" target="_blank">nfs-server.example.com</a> Sep 25 23:18:21 web-server > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered, > with preferred realm '<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a>' Sep 25 23:18:21 web-server > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, > not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' > being considered, with preferred realm '<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a>' Sep 25 23:18:21 > web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep > 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > context for user with uid 48 for server <a href="http://nfs-server.example.com" target="_blank">nfs-server.example.com</a> > > > Apache user id is 48. </div></div>You don't say what system you're using, but for Fedora 16 and 17 (with systemd), you can use something like the following in /etc/systemd/system/httpd.service: .include /usr/lib/systemd/system/httpd.service [Unit] Requires=network.target After=network.target [Service] Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab Environment=KRB5CCNAME=/tmp/krb5cc_48 ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; /usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t ${KRB5CCNAME} PrivateTmp=false And you'll need to add a cron job similar to: 5 */8 * * * apache /usr/bin/kinit -R ; chcon -t user_tmp_t /tmp/krb5cc_48 Of course, this may all change when Fedora 18 comes out with it's shiny new way of handling credentials. -- Anthony - <a href="http://messinet.com" target="_blank">http://messinet.com</a> - <a href="http://messinet.com/~amessina/gallery 8F89" target="_blank">http://messinet.com/~amessina/gallery 8F89</a> 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote></div>