[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
Rob Verduijn
rob.verduijn at gmail.com
Mon Sep 22 20:15:23 UTC 2014
2014-09-22 21:50 GMT+02:00 Simo Sorce <simo at redhat.com>:
> On Mon, 22 Sep 2014 15:09:42 -0400
> Dmitri Pal <dpal at redhat.com> wrote:
>
> > On 09/20/2014 05:19 PM, Simo Sorce wrote:
> > > On Sat, 20 Sep 2014 19:44:28 +0200
> > > Rob Verduijn <rob.verduijn at gmail.com> wrote:
> > >
> > >> Hi again,
> > >>
> > >> Thank you for the quick response.
> > >> I've removed the credstore entries that are not necessary for the
> > >> nfs access.
> > >> Now the users no longer go through gssproxy, but apache does.
> > >>
> > >> I've googled around quite a bit and and it seems that your
> > >> presentation on youtube and the gssproxy page together with a bit
> > >> on the fedora site are about it concerning documentation.
> > > We do not have a lot of docs yet, indeed.
> >
> >
> > Is there any chance we can publish this setup somewhere as a HOWTO?
> > May be on GSS proxy or IPA wiki?
> > That would help others coming after you.
> >
> > If you have a fedora account you can add content to FreeIPA wiki.
>
> With a Fedora account you can also write to the GSS-Proxy wiki which
> may be more appropriate.
>
I've got no problem in writing a howto on what I did.
But I have to find some time to sit down for it, and create a fedora
account first.
>
> >
> > >
> > >> The below gssproxy.conf works fine for apache accessing a
> > >> kerberized nfs share without having to authenticate against ipa.
> > >>
> > >> If I were to create another share for say an tftp directory do I
> > >> need to create another entry like the one below or can I simply
> > >> say : euid = 48,1,2,3,4
> > > Nope, euid is singlevalued.
> >
> >
> > Should we open RFE for it?
> > ding-libs can return you a list of numbers.
>
> No, it rarely if ever would make sense to do so, And we want to move
> the conf to have multiple conf snippets instead of a single file, in
> that case you'll want to have multiple snippets one per user.
>
I did indeed create a second snippet for the other service. :P
Rob
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140922/ec0beb5f/attachment.htm>
More information about the Freeipa-users
mailing list