[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
Simo Sorce
simo at redhat.com
Mon Sep 22 19:50:24 UTC 2014
On Mon, 22 Sep 2014 15:09:42 -0400
Dmitri Pal <dpal at redhat.com> wrote:
> On 09/20/2014 05:19 PM, Simo Sorce wrote:
> > On Sat, 20 Sep 2014 19:44:28 +0200
> > Rob Verduijn <rob.verduijn at gmail.com> wrote:
> >
> >> Hi again,
> >>
> >> Thank you for the quick response.
> >> I've removed the credstore entries that are not necessary for the
> >> nfs access.
> >> Now the users no longer go through gssproxy, but apache does.
> >>
> >> I've googled around quite a bit and and it seems that your
> >> presentation on youtube and the gssproxy page together with a bit
> >> on the fedora site are about it concerning documentation.
> > We do not have a lot of docs yet, indeed.
>
>
> Is there any chance we can publish this setup somewhere as a HOWTO?
> May be on GSS proxy or IPA wiki?
> That would help others coming after you.
>
> If you have a fedora account you can add content to FreeIPA wiki.
With a Fedora account you can also write to the GSS-Proxy wiki which
may be more appropriate.
>
> >
> >> The below gssproxy.conf works fine for apache accessing a
> >> kerberized nfs share without having to authenticate against ipa.
> >>
> >> If I were to create another share for say an tftp directory do I
> >> need to create another entry like the one below or can I simply
> >> say : euid = 48,1,2,3,4
> > Nope, euid is singlevalued.
>
>
> Should we open RFE for it?
> ding-libs can return you a list of numbers.
No, it rarely if ever would make sense to do so, And we want to move
the conf to have multiple conf snippets instead of a single file, in
that case you'll want to have multiple snippets one per user.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list