[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

Rob Verduijn rob.verduijn at gmail.com
Sat Sep 20 17:44:28 UTC 2014 

Hi again,

Thank you for the quick response.
I've removed the credstore entries that are not necessary for the nfs
access.
Now the users no longer go through gssproxy, but apache does.

I've googled around quite a bit and and it seems that your presentation on
youtube and the gssproxy page together with a bit on the fedora site are
about it concerning documentation.

The below gssproxy.conf works fine for apache accessing  a kerberized nfs
share without having to authenticate against ipa.

If I were to create another share for say an tftp directory do I need to
create another entry like the one below or can I simply say :
euid =  48,1,2,3,4

Or maybe this if you won't mind that any service with a keytab gets nfs
access.
euid = %U

Thanx for the quick help.


[gssproxy]

[service/nfs-client]
  mechs = krb5
  cred_store = client_keytab:/etc/gssproxy/%U.keytab
  cred_usage = initiate
  allow_any_uid = no
  trusted = yes
  euid = 48



2014-09-20 18:15 GMT+02:00 Simo Sorce <simo at redhat.com>:

> On Sat, 20 Sep 2014 16:53:48 +0200
> Rob Verduijn <rob.verduijn at gmail.com> wrote:
>
> > Hello all,
> >
> > I've managed to get the gssproxy to work on my installation.
> > I can now mount my apache document root using sec=krb5p and apache
> > automagically mounts the share when needed.
> >
> > However I noticed that now all nfs credentials are going through
> > gssproxy. Is there a way to disable this for regular users (or only
> > enable it for apache)
> >
> > Below is the gssproxy.conf I used
>
> I assume you mean that gssproxy is used for all users when rpc.gssd is
> used ? You cannot pick and choose this way, but gss-proxy can be
> configured to user regular user's caches so that it preserve proper
> authorization for access.
>
> > Cheers
> > Rob
> >
> >
> >
> > [gssproxy]
> >
> > [service/nfs-client]
> >   mechs = krb5
> >   cred_store = keytab:/etc/krb5.keytab
> >   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> >   cred_store = client_keytab:/etc/gssproxy/%U.keytab
> >   cred_usage = initiate
> >   allow_any_uid = yes
> >   trusted = yes
> >   euid = 0
>
> You do not need allow_any_uid in your case as rpc.gssd always runs as
> root.
>
> You can also remove the keytab:/etc/krb5.keytab option as you are only
> going to initiate with explicit client keytabs.
>
> If you only have the apache keytab in /etc/gssproxy then for any other
> user will fall back to local resolution.
>
> You may also experiment with setting ccache to the default for your
> system so that gss-proxy can find actual user's ccaches, though that
> may comport some minor risk and will force you to run gss-proxy as root.
>
>
> HTH,
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140920/999b4d6b/attachment.htm>

More information about the Freeipa-users mailing list