On Sat, 20 Sep 2014 11:38:16 -0500
Anthony Messina <amess...@messinet.com> wrote:

> On Saturday, September 20, 2014 12:15:04 PM Simo Sorce wrote:
> > > [service/nfs-client]
> > >
> > >   mechs = krb5
> > >   cred_store = keytab:/etc/krb5.keytab
> > >   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> > >   cred_store = client_keytab:/etc/gssproxy/%U.keytab
> > >   cred_usage = initiate
> > >   allow_any_uid = yes
> > >   trusted = yes
> > >   euid = 0
> > 
> > You do not need allow_any_uid in your case as rpc.gssd always runs
> > as root.
> > 
> > You can also remove the keytab:/etc/krb5.keytab option as you are
> > only going to initiate with explicit client keytabs.
> > 
> > If you only have the apache keytab in /etc/gssproxy then for any
> > other user will fall back to local resolution.
> > 
> > You may also experiment with setting ccache to the default for your
> > system so that gss-proxy can find actual user's ccaches, though that
> > may comport some minor risk and will force you to run gss-proxy as
> > root.
> 
> Simo, Rob's [service/nfs-client] configuration looks identical to
> mine, which appears to be the default, at least in Fedora 20:
> 
> https://git.fedorahosted.org/cgit/gss-proxy.git/tree/proxy/examples/gssproxy.conf.in

Oh it is and I forgot why we put allow_any_uid in, it's because now
rpc.gssd drops privileges before checking ccaches ... doh, I had
forgotten.

I wonder if we should remove the keytab from the default configuration
though ...

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to