[Freeipa-users] Apache, autofs and userdir

Anthony Messina amessina at messinet.com
Wed Sep 26 09:09:44 UTC 2012 

On Wednesday, September 26, 2012 12:21:14 AM James James wrote:
> I have  :
> 
> - a freeipa server + autofs maps
> - a nfsv4 server
> - a web server
> 
> from the webserver I can mount my nfs4 exported home dir. Everything works
> well.
> 
> I want to acces to my public_html directory from the web server. From my
> browser, when I try to reach http://myweserver/~user, I've got 403
> Forbidden and the logs give me :
> 
> Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> context for user with uid 48 for server nfs-server.example.com Sep 25
> 23:18:21 web-server rpc.gssd[4522]: doing error downcall
> Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server
> rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48
> enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]:
> handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21
> web-server rpc.gssd[4522]: process_krb5_upcall: service is '<null>' Sep 25
> 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid
> 48 for server nfs-server.example.com Sep 25 23:18:21 web-server
> rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered,
> with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server
> rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160,
> not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
> being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21
> web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep
> 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> context for user with uid 48 for server nfs-server.example.com
> 
> 
> Apache user id is 48.

You don't say what system you're using, but for Fedora 16 and 17 (with 
systemd), you can use something like the following in  
/etc/systemd/system/httpd.service:

.include /usr/lib/systemd/system/httpd.service
[Unit]
Requires=network.target
After=network.target

[Service]
Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab
Environment=KRB5CCNAME=/tmp/krb5cc_48
ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; 
/usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t 
${KRB5CCNAME}
PrivateTmp=false



And you'll need to add a cron job similar to:
5 */8 * * *     apache          /usr/bin/kinit -R ; chcon -t user_tmp_t 
/tmp/krb5cc_48


Of course, this may all change when Fedora 18 comes out with it's shiny new 
way of handling credentials.


-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120926/d5cf758c/attachment.sig>

More information about the Freeipa-users mailing list