[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

Tue Sep 16 15:58:46 UTC 2014

On Tue, 16 Sep 2014 09:12:53 +0200
Rob Verduijn <rob.verduijn at gmail.com> wrote:

> 2014-09-16 0:41 GMT+02:00 Anthony Messina <amessina at messinet.com>:
> 
> > On Monday, September 15, 2014 06:10:13 PM Nordgren, Bryce L -FS
> > wrote:
> > > How does the NFS server map the apache user to “something” it
> > recognizes? I
> > > would suggest that the easiest solution may be to use an IPA
> > > account
> > called
> > > “apache”, so that the mappings would just work, but currently I’m
> > > having trouble running a service as a domain user via systemd.
> > > (
> > https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194.
> > > html)
> >
> > Regarding your thread on the sssd-users list, this issue has to do
> > with systemd not looking up non-local users (via nss/sssd) as these
> > accounts are not usually available at boot.  I had tried something
> > similar using k5start (prior to using gssproxy) and found this out:
> > https://bugzilla.redhat.com/show_bug.cgi?id=915912
> >
> > > Beyond that, for kerberized NFS (local or domain user), you’ll
> > > need something to keep a fresh ticket on hand, so you may end up
> > > running something like k5start, and setting KRB5CCNAME in the
> > > environment where you’re running apache.
> >
> > I now use gssproxy for this purpose -- maintaining NFS/KRB5
> > credentials for the "apache" user.  But I can tell you that I
> > haven't yet figured out what I
> > need to do to have FreeIPA issue Kerberos credentials for the
> > "apache" user,
> > while restricting the "apache" user in FreeIPA, based on the
> > security concerns
> > mentioned by John Dennis in the following email:
> > https://www.redhat.com/archives/freeipa-users/2013-February/msg00268.html.
> >
> > Not trying to hijack the thread, but it would be helpful to have
> > some instruction on:  What is the FreeIPA-recommended way to enable
> > Kerberos functionality for a system account user, while restricting
> > that system-account
> > user?  The "apache" user being one that seems to be brought up
> > frequently.
> >
> > -A
> >
> > --
> > Anthony - https://messinet.com/ -
> > https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE
> > 9967 92DC 35DC B001 4A4E
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> 
> Hello all,
> 
> It seems after doing some more serious googling I found that using a
> system-account is problematic when using kerberized nfs4.
> 
> Like Anthony mentioned it would be nice to have a 'general' howto on
> how to deal with this situation.
> 
> Apache trying to use a document root on a kerberized nfs4 share being
> a very nice use case.
> 
> btw after I posted this I spend some more time on google and found
> this old kb article on access.redhat.com com that deals with a
> kerberized nfs document root for apache:
> https://access.redhat.com/solutions/56581
> I haven't tried it yet cause it feels a bit like a workaround to me
> and I hoped to find a more elegant solution using ipa,

You will need some credentials for the apache process, but do not use
host or nfs as shown in that aging article.

The solution we've been working on for quite a while is called
gss-proxy which interopsed to rpc.gssd can allow you to configure
specific keytabs to be used to obtain credentials for unattended
service.

Unfortunately we are still in the process of writing documentation but
here is the project page for reference:
https://fedorahosted.org/gss-proxy/

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York