<div dir="ltr">Hi again,<div><br></div><div>Thank you for the quick response.</div><div>I've removed the credstore entries that are not necessary for the nfs access.</div><div>Now the users no longer go through gssproxy, but apache does.</div><div><br></div><div>I've googled around quite a bit and and it seems that your presentation on youtube and the gssproxy page together with a bit on the fedora site are about it concerning documentation.</div><div><br></div><div>The below gssproxy.conf works fine for apache accessing a kerberized nfs share without having to authenticate against ipa.</div><div><br></div><div>If I were to create another share for say an tftp directory do I need to create another entry like the one below or can I simply say :</div><div>euid = 48,1,2,3,4</div><div><br></div><div>Or maybe this if you won't mind that any service with a keytab gets nfs access.</div><div>euid = %U<br></div><div><br></div><div>Thanx for the quick help.</div><div><br></div><div><br></div><div><div>[gssproxy]</div><div><br></div><div>[service/nfs-client]</div><div> mechs = krb5</div><div> cred_store = client_keytab:/etc/gssproxy/%U.keytab<br></div><div> cred_usage = initiate</div><div> allow_any_uid = no</div><div> trusted = yes</div><div> euid = 48</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-09-20 18:15 GMT+02:00 Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sat, 20 Sep 2014 16:53:48 +0200<br> Rob Verduijn <<a href="mailto:rob.verduijn@gmail.com">rob.verduijn@gmail.com</a>> wrote:<br> <br> > Hello all,<br> ><br> > I've managed to get the gssproxy to work on my installation.<br> > I can now mount my apache document root using sec=krb5p and apache<br> > automagically mounts the share when needed.<br> ><br> > However I noticed that now all nfs credentials are going through<br> > gssproxy. Is there a way to disable this for regular users (or only<br> > enable it for apache)<br> ><br> > Below is the gssproxy.conf I used<br> <br> </span>I assume you mean that gssproxy is used for all users when rpc.gssd is<br> used ? You cannot pick and choose this way, but gss-proxy can be<br> configured to user regular user's caches so that it preserve proper<br> authorization for access.<br> <span class=""><br> > Cheers<br> > Rob<br> ><br> ><br> ><br> > [gssproxy]<br> ><br> > [service/nfs-client]<br> > mechs = krb5<br> > cred_store = keytab:/etc/krb5.keytab<br> > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U<br> > cred_store = client_keytab:/etc/gssproxy/%U.keytab<br> > cred_usage = initiate<br> > allow_any_uid = yes<br> > trusted = yes<br> > euid = 0<br> <br> </span>You do not need allow_any_uid in your case as rpc.gssd always runs as<br> root.<br> <br> You can also remove the keytab:/etc/krb5.keytab option as you are only<br> going to initiate with explicit client keytabs.<br> <br> If you only have the apache keytab in /etc/gssproxy then for any other<br> user will fall back to local resolution.<br> <br> You may also experiment with setting ccache to the default for your<br> system so that gss-proxy can find actual user's ccaches, though that<br> may comport some minor risk and will force you to run gss-proxy as root.<br> <br> <br> HTH,<br> <div class="HOEnZb"><div class="h5">Simo.<br> <br> <br> --<br> Simo Sorce * Red Hat, Inc * New York<br> </div></div></blockquote></div><br></div>