On Tue, 2018-02-13 at 15:35 +0100, Ray via FreeIPA-users wrote:
> Hi there,
> I'm trying to make Apache to access a kerberized document root on CentOS 
> 7 using gssproxy. So far without success. On the web server machine 
> (=NFS client) I configured a gss-proxy config file:
> # cat /etc/gssproxy/99-nfs-client.conf
> [service/nfs-client]
>    mechs = krb5
>    cred_store = keytab:/etc/krb5.keytab
>    cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
>    cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
>    cred_usage = initiate
>    allow_any_uid = yes
>    trusted = yes
>    euid = 0
> In addition to this I set up a credentials cache 
> /var/lib/gssproxy/clients/krb5cc_<httpd uid>

What did you put in this file ?

> The Apache user is managed using FreeIPA and is a member of the exported 
> directory's group that shall be used as document root, hence it should 
> have access permissions to the directory and kinit for "apache" shows no 
> ticket.

Did you get a keytab for the apache user and place it in
/var/lib/gssproxy/clients/<httpd_uid>.keytab ?

> However, when I "su -s /bin/bash apache" and try to access the 
> NFS-mounted directory, I get permission denied (even with SELinux 
> temporarily disabled).
> Right now, I do not see how I can proceed and there's not much meat on 
> the Google-bone for this specific topic. Can someone here point me into 
> the right direction?
>    * Is the config outlined the correct way to achieve what I want to do?

The configuration is correct, although you could tailor it specifically
to the apache process (setting a strinct euid not using allow_any_uid
nor trusted).

>    * Is there a way to debug the issue I'm furrently facing?

You can raise the debug level of gssproxy to 3 and see what fails.


Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to