On 09/16/2014 11:58 AM, Simo Sorce wrote:
On Tue, 16 Sep 2014 09:12:53 +0200
Rob Verduijn <rob.verdu...@gmail.com> wrote:
2014-09-16 0:41 GMT+02:00 Anthony Messina <amess...@messinet.com>:
On Monday, September 15, 2014 06:10:13 PM Nordgren, Bryce L -FS
wrote:
How does the NFS server map the apache user to “something” it
recognizes? I
would suggest that the easiest solution may be to use an IPA
account
called
“apache”, so that the mappings would just work, but currently I’m
having trouble running a service as a domain user via systemd.
(
https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194.
html)
Regarding your thread on the sssd-users list, this issue has to do
with systemd not looking up non-local users (via nss/sssd) as these
accounts are not usually available at boot. I had tried something
similar using k5start (prior to using gssproxy) and found this out:
https://bugzilla.redhat.com/show_bug.cgi?id=915912
Beyond that, for kerberized NFS (local or domain user), you’ll
need something to keep a fresh ticket on hand, so you may end up
running something like k5start, and setting KRB5CCNAME in the
environment where you’re running apache.
I now use gssproxy for this purpose -- maintaining NFS/KRB5
credentials for the "apache" user. But I can tell you that I
haven't yet figured out what I
need to do to have FreeIPA issue Kerberos credentials for the
"apache" user,
while restricting the "apache" user in FreeIPA, based on the
security concerns
mentioned by John Dennis in the following email:
https://www.redhat.com/archives/freeipa-users/2013-February/msg00268.html.
Not trying to hijack the thread, but it would be helpful to have
some instruction on: What is the FreeIPA-recommended way to enable
Kerberos functionality for a system account user, while restricting
that system-account
user? The "apache" user being one that seems to be brought up
frequently.
-A
--
Anthony - https://messinet.com/ -
https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE
9967 92DC 35DC B001 4A4E
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Hello all,
It seems after doing some more serious googling I found that using a
system-account is problematic when using kerberized nfs4.
Like Anthony mentioned it would be nice to have a 'general' howto on
how to deal with this situation.
Apache trying to use a document root on a kerberized nfs4 share being
a very nice use case.
btw after I posted this I spend some more time on google and found
this old kb article on access.redhat.com com that deals with a
kerberized nfs document root for apache:
https://access.redhat.com/solutions/56581
I haven't tried it yet cause it feels a bit like a workaround to me
and I hoped to find a more elegant solution using ipa,
You will need some credentials for the apache process, but do not use
host or nfs as shown in that aging article.
The solution we've been working on for quite a while is called
gss-proxy which interopsed to rpc.gssd can allow you to configure
specific keytabs to be used to obtain credentials for unattended
service.
Unfortunately we are still in the process of writing documentation but
here is the project page for reference:
https://fedorahosted.org/gss-proxy/
Simo.
Also opened https://fedorahosted.org/freeipa/ticket/4544
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
