On Sat, 20 Sep 2014 11:38:16 -0500
Anthony Messina <amess...@messinet.com> wrote:
> On Saturday, September 20, 2014 12:15:04 PM Simo Sorce wrote:
> > > [service/nfs-client]
> > >
> > > mechs = krb5
> > > cred_store = keytab:/etc/krb5.keytab
> > > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> > > cred_store = client_keytab:/etc/gssproxy/%U.keytab
> > > cred_usage = initiate
> > > allow_any_uid = yes
> > > trusted = yes
> > > euid = 0
> > You do not need allow_any_uid in your case as rpc.gssd always runs
> > as root.
> > You can also remove the keytab:/etc/krb5.keytab option as you are
> > only going to initiate with explicit client keytabs.
> > If you only have the apache keytab in /etc/gssproxy then for any
> > other user will fall back to local resolution.
> > You may also experiment with setting ccache to the default for your
> > system so that gss-proxy can find actual user's ccaches, though that
> > may comport some minor risk and will force you to run gss-proxy as
> > root.
> Simo, Rob's [service/nfs-client] configuration looks identical to
> mine, which appears to be the default, at least in Fedora 20:
Oh it is and I forgot why we put allow_any_uid in, it's because now
rpc.gssd drops privileges before checking ccaches ... doh, I had
I wonder if we should remove the keytab from the default configuration
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project