2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS <[email protected]>:
> > > Also opened https://fedorahosted.org/freeipa/ticket/4544 > > Tried to summarize this thread on that ticket. > > Back to the OP's concern, whenever I use NFS as a documentroot for apache > (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys, > set "all-squash", and specify the webserver's IP. It's not like individual > user accounts need a presence on the filesystem. Do you need encryption for > your application or is apache just going to spray the content out across > the commodity internet via un-encrypted http? > > Bryce > > > > > > > This electronic message contains information generated by the USDA solely > for the intended recipients. Any unauthorized interception of this message > or the use or disclosure of the information it contains may violate the law > and subject the violator to civil or criminal penalties. If you believe you > have received this message in error, please notify the sender and delete > the email immediately. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > Hello, I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys) It's not sensitive data and it's also internal, so it will do fine for now as a workaround. But there is going to be a situation that apache requires access to a document root containing sensitive data, in that case I would prefer a more secure method. I've been reading up a little on the gss-proxy, which would be the prefered way on the obtaining of the credentials from a keytab. Have gss-proxy do it or have gss-proxy use s4u2proxy to fetch the keytab ? (which might also solve some of my ssh anoyances but that's a bit off topic) Rob Verduijn
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
