Hi there,

I'm trying to make Apache to access a kerberized document root on CentOS 7 using gssproxy. So far without success. On the web server machine (=NFS client) I configured a gss-proxy config file:

# cat /etc/gssproxy/99-nfs-client.conf
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

In addition to this I set up a credentials cache /var/lib/gssproxy/clients/krb5cc_<httpd uid>

The Apache user is managed using FreeIPA and is a member of the exported directory's group that shall be used as document root, hence it should have access permissions to the directory and kinit for "apache" shows no ticket.

However, when I "su -s /bin/bash apache" and try to access the NFS-mounted directory, I get permission denied (even with SELinux temporarily disabled).

Right now, I do not see how I can proceed and there's not much meat on the Google-bone for this specific topic. Can someone here point me into the right direction?

  * Is the config outlined the correct way to achieve what I want to do?
  * Is there a way to debug the issue I'm furrently facing?

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to