2014-09-16 0:41 GMT+02:00 Anthony Messina <[email protected]>: > On Monday, September 15, 2014 06:10:13 PM Nordgren, Bryce L -FS wrote: > > How does the NFS server map the apache user to “something” it > recognizes? I > > would suggest that the easiest solution may be to use an IPA account > called > > “apache”, so that the mappings would just work, but currently I’m having > > trouble running a service as a domain user via systemd. > > ( > https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194. > > html) > > Regarding your thread on the sssd-users list, this issue has to do with > systemd not looking up non-local users (via nss/sssd) as these accounts are > not usually available at boot. I had tried something similar using k5start > (prior to using gssproxy) and found this out: > https://bugzilla.redhat.com/show_bug.cgi?id=915912 > > > Beyond that, for kerberized NFS (local or domain user), you’ll need > > something to keep a fresh ticket on hand, so you may end up running > > something like k5start, and setting KRB5CCNAME in the environment where > > you’re running apache. > > I now use gssproxy for this purpose -- maintaining NFS/KRB5 credentials for > the "apache" user. But I can tell you that I haven't yet figured out what > I > need to do to have FreeIPA issue Kerberos credentials for the "apache" > user, > while restricting the "apache" user in FreeIPA, based on the security > concerns > mentioned by John Dennis in the following email: > https://www.redhat.com/archives/freeipa-users/2013-February/msg00268.html. > > Not trying to hijack the thread, but it would be helpful to have some > instruction on: What is the FreeIPA-recommended way to enable Kerberos > functionality for a system account user, while restricting that > system-account > user? The "apache" user being one that seems to be brought up frequently. > > -A > > -- > Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery > 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
Hello all, It seems after doing some more serious googling I found that using a system-account is problematic when using kerberized nfs4. Like Anthony mentioned it would be nice to have a 'general' howto on how to deal with this situation. Apache trying to use a document root on a kerberized nfs4 share being a very nice use case. btw after I posted this I spend some more time on google and found this old kb article on access.redhat.com com that deals with a kerberized nfs document root for apache: https://access.redhat.com/solutions/56581 I haven't tried it yet cause it feels a bit like a workaround to me and I hoped to find a more elegant solution using ipa, Cheers Rob Verduijn
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
