2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS <bnordg...@fs.fed.us>:

>
> > Also opened https://fedorahosted.org/freeipa/ticket/4544
>
> Tried to summarize this thread on that ticket.
>
> Back to the OP's concern, whenever I use NFS as a documentroot for apache
> (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys,
> set "all-squash", and specify the webserver's IP. It's not like individual
> user accounts need a presence on the filesystem. Do you need encryption for
> your application or is apache just going to spray the content out across
> the commodity internet via un-encrypted http?
>
> Bryce
>
>
>
>
>
>
> This electronic message contains information generated by the USDA solely
> for the intended recipients. Any unauthorized interception of this message
> or the use or disclosure of the information it contains may violate the law
> and subject the violator to civil or criminal penalties. If you believe you
> have received this message in error, please notify the sender and delete
> the email immediately.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>


Hello,

I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys)
It's not sensitive data and it's also internal, so it will do fine for now
as a workaround.
But there is going to be a situation that apache requires access to a
document root containing sensitive data, in that case I would prefer a more
secure method.

I've been reading up a little on the gss-proxy, which would be the prefered
way on the obtaining of the credentials from a keytab.
Have gss-proxy do it or have gss-proxy use  s4u2proxy to fetch the keytab ?
(which might also solve some of my ssh anoyances but that's a bit off topic)

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to