[Freeipa-users] Apache, autofs and userdir
Anthony Messina
amessina at messinet.com
Wed Sep 26 09:09:44 UTC 2012
On Wednesday, September 26, 2012 12:21:14 AM James James wrote:
> I have :
>
> - a freeipa server + autofs maps
> - a nfsv4 server
> - a web server
>
> from the webserver I can mount my nfs4 exported home dir. Everything works
> well.
>
> I want to acces to my public_html directory from the web server. From my
> browser, when I try to reach http://myweserver/~user, I've got 403
> Forbidden and the logs give me :
>
> Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> context for user with uid 48 for server nfs-server.example.com Sep 25
> 23:18:21 web-server rpc.gssd[4522]: doing error downcall
> Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server
> rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48
> enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]:
> handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21
> web-server rpc.gssd[4522]: process_krb5_upcall: service is '<null>' Sep 25
> 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid
> 48 for server nfs-server.example.com Sep 25 23:18:21 web-server
> rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered,
> with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server
> rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160,
> not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
> being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21
> web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep
> 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> context for user with uid 48 for server nfs-server.example.com
>
>
> Apache user id is 48.
You don't say what system you're using, but for Fedora 16 and 17 (with
systemd), you can use something like the following in
/etc/systemd/system/httpd.service:
.include /usr/lib/systemd/system/httpd.service
[Unit]
Requires=network.target
After=network.target
[Service]
Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab
Environment=KRB5CCNAME=/tmp/krb5cc_48
ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ;
/usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t
${KRB5CCNAME}
PrivateTmp=false
And you'll need to add a cron job similar to:
5 */8 * * * apache /usr/bin/kinit -R ; chcon -t user_tmp_t
/tmp/krb5cc_48
Of course, this may all change when Fedora 18 comes out with it's shiny new
way of handling credentials.
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120926/d5cf758c/attachment.sig>
More information about the Freeipa-users
mailing list