[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
Simo Sorce
simo at redhat.com
Sat Sep 20 16:15:04 UTC 2014
On Sat, 20 Sep 2014 16:53:48 +0200
Rob Verduijn <rob.verduijn at gmail.com> wrote:
> Hello all,
>
> I've managed to get the gssproxy to work on my installation.
> I can now mount my apache document root using sec=krb5p and apache
> automagically mounts the share when needed.
>
> However I noticed that now all nfs credentials are going through
> gssproxy. Is there a way to disable this for regular users (or only
> enable it for apache)
>
> Below is the gssproxy.conf I used
I assume you mean that gssproxy is used for all users when rpc.gssd is
used ? You cannot pick and choose this way, but gss-proxy can be
configured to user regular user's caches so that it preserve proper
authorization for access.
> Cheers
> Rob
>
>
>
> [gssproxy]
>
> [service/nfs-client]
> mechs = krb5
> cred_store = keytab:/etc/krb5.keytab
> cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> cred_store = client_keytab:/etc/gssproxy/%U.keytab
> cred_usage = initiate
> allow_any_uid = yes
> trusted = yes
> euid = 0
You do not need allow_any_uid in your case as rpc.gssd always runs as
root.
You can also remove the keytab:/etc/krb5.keytab option as you are only
going to initiate with explicit client keytabs.
If you only have the apache keytab in /etc/gssproxy then for any other
user will fall back to local resolution.
You may also experiment with setting ccache to the default for your
system so that gss-proxy can find actual user's ccaches, though that
may comport some minor risk and will force you to run gss-proxy as root.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list