Thanks I'll try that and will give you a feedback as soon as possible.
2012/9/26 Anthony Messina <amess...@messinet.com> > On Wednesday, September 26, 2012 12:21:14 AM James James wrote: > > I have : > > > > - a freeipa server + autofs maps > > - a nfsv4 server > > - a web server > > > > from the webserver I can mount my nfs4 exported home dir. Everything > works > > well. > > > > I want to acces to my public_html directory from the web server. From my > > browser, when I try to reach http://myweserver/~user, I've got 403 > > Forbidden and the logs give me : > > > > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > > context for user with uid 48 for server nfs-server.example.com Sep 25 > > 23:18:21 web-server rpc.gssd[4522]: doing error downcall > > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall > > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server > > rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48 > > enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]: > > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 > > web-server rpc.gssd[4522]: process_krb5_upcall: service is '<null>' Sep > 25 > > 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with > uid > > 48 for server nfs-server.example.com Sep 25 23:18:21 web-server > > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered, > > with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server > > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by > 797200160, > > not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' > > being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 > > web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep > > 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5 > > context for user with uid 48 for server nfs-server.example.com > > > > > > Apache user id is 48. > > You don't say what system you're using, but for Fedora 16 and 17 (with > systemd), you can use something like the following in > /etc/systemd/system/httpd.service: > > .include /usr/lib/systemd/system/httpd.service > [Unit] > Requires=network.target > After=network.target > > [Service] > Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab > Environment=KRB5CCNAME=/tmp/krb5cc_48 > ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; > /usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t > ${KRB5CCNAME} > PrivateTmp=false > > > > And you'll need to add a cron job similar to: > 5 */8 * * * apache /usr/bin/kinit -R ; chcon -t user_tmp_t > /tmp/krb5cc_48 > > > Of course, this may all change when Fedora 18 comes out with it's shiny new > way of handling credentials. > > > -- > Anthony - http://messinet.com - http://messinet.com/~amessina/gallery > 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
