Hello all,

I've managed to get the gssproxy to work on my installation.
I can now mount my apache document root using sec=krb5p and apache
automagically mounts the share when needed.

However I noticed that now all nfs credentials are going through gssproxy.
Is there a way to disable this for regular users (or only enable it for
apache)

Below is the gssproxy.conf I used

Cheers
Rob



[gssproxy]

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/etc/gssproxy/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0



2014-09-17 9:15 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:

>
>
> 2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS <bnordg...@fs.fed.us>:
>
>
>> > Also opened https://fedorahosted.org/freeipa/ticket/4544
>>
>> Tried to summarize this thread on that ticket.
>>
>> Back to the OP's concern, whenever I use NFS as a documentroot for apache
>> (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys,
>> set "all-squash", and specify the webserver's IP. It's not like individual
>> user accounts need a presence on the filesystem. Do you need encryption for
>> your application or is apache just going to spray the content out across
>> the commodity internet via un-encrypted http?
>>
>> Bryce
>>
>>
>>
>>
>>
>>
>> This electronic message contains information generated by the USDA solely
>> for the intended recipients. Any unauthorized interception of this message
>> or the use or disclosure of the information it contains may violate the law
>> and subject the violator to civil or criminal penalties. If you believe you
>> have received this message in error, please notify the sender and delete
>> the email immediately.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
> Hello,
>
> I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys)
> It's not sensitive data and it's also internal, so it will do fine for now
> as a workaround.
> But there is going to be a situation that apache requires access to a
> document root containing sensitive data, in that case I would prefer a more
> secure method.
>
> I've been reading up a little on the gss-proxy, which would be the
> prefered way on the obtaining of the credentials from a keytab.
> Have gss-proxy do it or have gss-proxy use  s4u2proxy to fetch the keytab
> ? (which might also solve some of my ssh anoyances but that's a bit off
> topic)
>
> Rob Verduijn
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to