On Monday, September 15, 2014 06:10:13 PM Nordgren, Bryce L -FS wrote:
> How does the NFS server map the apache user to “something” it recognizes? I
> would suggest that the easiest solution may be to use an IPA account called
> “apache”, so that the mappings would just work, but currently I’m having
> trouble running a service as a domain user via systemd.
> (https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194.
> html)

Regarding your thread on the sssd-users list, this issue has to do with 
systemd not looking up non-local users (via nss/sssd) as these accounts are 
not usually available at boot.  I had tried something similar using k5start 
(prior to using gssproxy) and found this out: 

> Beyond that, for kerberized NFS (local or domain user), you’ll need
> something to keep a fresh ticket on hand, so you may end up running
> something like k5start, and setting KRB5CCNAME in the environment where
> you’re running apache.

I now use gssproxy for this purpose -- maintaining NFS/KRB5 credentials for 
the "apache" user.  But I can tell you that I haven't yet figured out what I 
need to do to have FreeIPA issue Kerberos credentials for the "apache" user, 
while restricting the "apache" user in FreeIPA, based on the security concerns 
mentioned by John Dennis in the following email: 

Not trying to hijack the thread, but it would be helpful to have some 
instruction on:  What is the FreeIPA-recommended way to enable Kerberos 
functionality for a system account user, while restricting that system-account 
user?  The "apache" user being one that seems to be brought up frequently.


Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to