Hi Rob,

How does the NFS server map the apache user to “something” it recognizes? I 
would suggest that the easiest solution may be to use an IPA account called 
“apache”, so that the mappings would just work, but currently I’m having 
trouble running a service as a domain user via systemd. 

Beyond that, for kerberized NFS (local or domain user), you’ll need something 
to keep a fresh ticket on hand, so you may end up running something like 
k5start, and setting KRB5CCNAME in the environment where you’re running apache.


From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Verduijn
Sent: Monday, September 15, 2014 9:17 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for 
apache user


I've got a webserver whose default export is on a kerberized nfs4 export.

The export works fine for regular ipa users

However the apache user is not allowed to read anything from the export.

What would be the best practice to allow the apache user access to the nfs4 
export without switching to sec=sys ?


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to