Hi Rob, How does the NFS server map the apache user to “something” it recognizes? I would suggest that the easiest solution may be to use an IPA account called “apache”, so that the mappings would just work, but currently I’m having trouble running a service as a domain user via systemd. (https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194.html)
Beyond that, for kerberized NFS (local or domain user), you’ll need something to keep a fresh ticket on hand, so you may end up running something like k5start, and setting KRB5CCNAME in the environment where you’re running apache. Bryce From: [email protected] [mailto:[email protected]] On Behalf Of Rob Verduijn Sent: Monday, September 15, 2014 9:17 AM To: [email protected] Subject: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user Hello, I've got a webserver whose default export is on a kerberized nfs4 export. The export works fine for regular ipa users However the apache user is not allowed to read anything from the export. What would be the best practice to allow the apache user access to the nfs4 export without switching to sec=sys ? Cheers Rob This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
