[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

Tue Sep 16 16:10:31 UTC 2014

On 09/16/2014 11:58 AM, Simo Sorce wrote:
> On Tue, 16 Sep 2014 09:12:53 +0200
> Rob Verduijn <rob.verduijn at gmail.com> wrote:
>
>> 2014-09-16 0:41 GMT+02:00 Anthony Messina <amessina at messinet.com>:
>>
>>> On Monday, September 15, 2014 06:10:13 PM Nordgren, Bryce L -FS
>>> wrote:
>>>> How does the NFS server map the apache user to “something” it
>>> recognizes? I
>>>> would suggest that the easiest solution may be to use an IPA
>>>> account
>>> called
>>>> “apache”, so that the mappings would just work, but currently I’m
>>>> having trouble running a service as a domain user via systemd.
>>>> (
>>> https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194.
>>>> html)
>>> Regarding your thread on the sssd-users list, this issue has to do
>>> with systemd not looking up non-local users (via nss/sssd) as these
>>> accounts are not usually available at boot.  I had tried something
>>> similar using k5start (prior to using gssproxy) and found this out:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=915912
>>>
>>>> Beyond that, for kerberized NFS (local or domain user), you’ll
>>>> need something to keep a fresh ticket on hand, so you may end up
>>>> running something like k5start, and setting KRB5CCNAME in the
>>>> environment where you’re running apache.
>>> I now use gssproxy for this purpose -- maintaining NFS/KRB5
>>> credentials for the "apache" user.  But I can tell you that I
>>> haven't yet figured out what I
>>> need to do to have FreeIPA issue Kerberos credentials for the
>>> "apache" user,
>>> while restricting the "apache" user in FreeIPA, based on the
>>> security concerns
>>> mentioned by John Dennis in the following email:
>>> https://www.redhat.com/archives/freeipa-users/2013-February/msg00268.html.
>>>
>>> Not trying to hijack the thread, but it would be helpful to have
>>> some instruction on:  What is the FreeIPA-recommended way to enable
>>> Kerberos functionality for a system account user, while restricting
>>> that system-account
>>> user?  The "apache" user being one that seems to be brought up
>>> frequently.
>>>
>>> -A
>>>
>>> --
>>> Anthony - https://messinet.com/ -
>>> https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE
>>> 9967 92DC 35DC B001 4A4E
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>> Hello all,
>>
>> It seems after doing some more serious googling I found that using a
>> system-account is problematic when using kerberized nfs4.
>>
>> Like Anthony mentioned it would be nice to have a 'general' howto on
>> how to deal with this situation.
>>
>> Apache trying to use a document root on a kerberized nfs4 share being
>> a very nice use case.
>>
>> btw after I posted this I spend some more time on google and found
>> this old kb article on access.redhat.com com that deals with a
>> kerberized nfs document root for apache:
>> https://access.redhat.com/solutions/56581
>> I haven't tried it yet cause it feels a bit like a workaround to me
>> and I hoped to find a more elegant solution using ipa,
> You will need some credentials for the apache process, but do not use
> host or nfs as shown in that aging article.
>
> The solution we've been working on for quite a while is called
> gss-proxy which interopsed to rpc.gssd can allow you to configure
> specific keytabs to be used to obtain credentials for unattended
> service.
>
> Unfortunately we are still in the process of writing documentation but
> here is the project page for reference:
> https://fedorahosted.org/gss-proxy/
>
> Simo.
>
Also opened https://fedorahosted.org/freeipa/ticket/4544

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.