On Sat, 20 Sep 2014 16:53:48 +0200
Rob Verduijn <rob.verdu...@gmail.com> wrote:

> Hello all,
> 
> I've managed to get the gssproxy to work on my installation.
> I can now mount my apache document root using sec=krb5p and apache
> automagically mounts the share when needed.
> 
> However I noticed that now all nfs credentials are going through
> gssproxy. Is there a way to disable this for regular users (or only
> enable it for apache)
> 
> Below is the gssproxy.conf I used

I assume you mean that gssproxy is used for all users when rpc.gssd is
used ? You cannot pick and choose this way, but gss-proxy can be
configured to user regular user's caches so that it preserve proper
authorization for access.

> Cheers
> Rob
> 
> 
> 
> [gssproxy]
> 
> [service/nfs-client]
>   mechs = krb5
>   cred_store = keytab:/etc/krb5.keytab
>   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
>   cred_store = client_keytab:/etc/gssproxy/%U.keytab
>   cred_usage = initiate
>   allow_any_uid = yes
>   trusted = yes
>   euid = 0

You do not need allow_any_uid in your case as rpc.gssd always runs as
root.

You can also remove the keytab:/etc/krb5.keytab option as you are only
going to initiate with explicit client keytabs.

If you only have the apache keytab in /etc/gssproxy then for any other
user will fall back to local resolution.

You may also experiment with setting ccache to the default for your
system so that gss-proxy can find actual user's ccaches, though that
may comport some minor risk and will force you to run gss-proxy as root.


HTH,
Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to