On Monday, September 15, 2014 06:10:13 PM Nordgren, Bryce L -FS wrote: > How does the NFS server map the apache user to “something” it recognizes? I > would suggest that the easiest solution may be to use an IPA account called > “apache”, so that the mappings would just work, but currently I’m having > trouble running a service as a domain user via systemd. > (https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194. > html)
Regarding your thread on the sssd-users list, this issue has to do with systemd not looking up non-local users (via nss/sssd) as these accounts are not usually available at boot. I had tried something similar using k5start (prior to using gssproxy) and found this out: https://bugzilla.redhat.com/show_bug.cgi?id=915912 > Beyond that, for kerberized NFS (local or domain user), you’ll need > something to keep a fresh ticket on hand, so you may end up running > something like k5start, and setting KRB5CCNAME in the environment where > you’re running apache. I now use gssproxy for this purpose -- maintaining NFS/KRB5 credentials for the "apache" user. But I can tell you that I haven't yet figured out what I need to do to have FreeIPA issue Kerberos credentials for the "apache" user, while restricting the "apache" user in FreeIPA, based on the security concerns mentioned by John Dennis in the following email: https://www.redhat.com/archives/freeipa-users/2013-February/msg00268.html. Not trying to hijack the thread, but it would be helpful to have some instruction on: What is the FreeIPA-recommended way to enable Kerberos functionality for a system account user, while restricting that system-account user? The "apache" user being one that seems to be brought up frequently. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Description: This is a digitally signed message part.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project