On Saturday, September 20, 2014 12:15:04 PM Simo Sorce wrote: > > [service/nfs-client] > > > > mechs = krb5 > > cred_store = keytab:/etc/krb5.keytab > > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U > > cred_store = client_keytab:/etc/gssproxy/%U.keytab > > cred_usage = initiate > > allow_any_uid = yes > > trusted = yes > > euid = 0 > > You do not need allow_any_uid in your case as rpc.gssd always runs as > root. > > You can also remove the keytab:/etc/krb5.keytab option as you are only > going to initiate with explicit client keytabs. > > If you only have the apache keytab in /etc/gssproxy then for any other > user will fall back to local resolution. > > You may also experiment with setting ccache to the default for your > system so that gss-proxy can find actual user's ccaches, though that > may comport some minor risk and will force you to run gss-proxy as root.
Simo, Rob's [service/nfs-client] configuration looks identical to mine, which appears to be the default, at least in Fedora 20: https://git.fedorahosted.org/cgit/gss-proxy.git/tree/proxy/examples/gssproxy.conf.in -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
