On Sat, 20 Sep 2014 19:44:28 +0200
Rob Verduijn <rob.verdu...@gmail.com> wrote:

> Hi again,
> 
> Thank you for the quick response.
> I've removed the credstore entries that are not necessary for the nfs
> access.
> Now the users no longer go through gssproxy, but apache does.
> 
> I've googled around quite a bit and and it seems that your
> presentation on youtube and the gssproxy page together with a bit on
> the fedora site are about it concerning documentation.

We do not have a lot of docs yet, indeed.

> The below gssproxy.conf works fine for apache accessing  a kerberized
> nfs share without having to authenticate against ipa.
> 
> If I were to create another share for say an tftp directory do I need
> to create another entry like the one below or can I simply say :
> euid =  48,1,2,3,4

Nope, euid is singlevalued.

> Or maybe this if you won't mind that any service with a keytab gets
> nfs access.
> euid = %U

Setting %U in euid does not work, that's why we have allow_any_uid.

> Thanx for the quick help.

Glad you got it working to your liking, and feel free to ask questions
directly on the gss-proxy mailing list if you want.

Btw in the conf below you can also remove completely the allow_any_uid
(no is the default) and the trusted options (you should not really
trust apache to impersonate any user, w/o trusted it will just be
itself).

Simo.

> 
> [gssproxy]
> 
> [service/nfs-client]
>   mechs = krb5
>   cred_store = client_keytab:/etc/gssproxy/%U.keytab
>   cred_usage = initiate
>   allow_any_uid = no
>   trusted = yes
>   euid = 48
> 
> 
> 
> 2014-09-20 18:15 GMT+02:00 Simo Sorce <s...@redhat.com>:
> 
> > On Sat, 20 Sep 2014 16:53:48 +0200
> > Rob Verduijn <rob.verdu...@gmail.com> wrote:
> >
> > > Hello all,
> > >
> > > I've managed to get the gssproxy to work on my installation.
> > > I can now mount my apache document root using sec=krb5p and apache
> > > automagically mounts the share when needed.
> > >
> > > However I noticed that now all nfs credentials are going through
> > > gssproxy. Is there a way to disable this for regular users (or
> > > only enable it for apache)
> > >
> > > Below is the gssproxy.conf I used
> >
> > I assume you mean that gssproxy is used for all users when rpc.gssd
> > is used ? You cannot pick and choose this way, but gss-proxy can be
> > configured to user regular user's caches so that it preserve proper
> > authorization for access.
> >
> > > Cheers
> > > Rob
> > >
> > >
> > >
> > > [gssproxy]
> > >
> > > [service/nfs-client]
> > >   mechs = krb5
> > >   cred_store = keytab:/etc/krb5.keytab
> > >   cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
> > >   cred_store = client_keytab:/etc/gssproxy/%U.keytab
> > >   cred_usage = initiate
> > >   allow_any_uid = yes
> > >   trusted = yes
> > >   euid = 0
> >
> > You do not need allow_any_uid in your case as rpc.gssd always runs
> > as root.
> >
> > You can also remove the keytab:/etc/krb5.keytab option as you are
> > only going to initiate with explicit client keytabs.
> >
> > If you only have the apache keytab in /etc/gssproxy then for any
> > other user will fall back to local resolution.
> >
> > You may also experiment with setting ccache to the default for your
> > system so that gss-proxy can find actual user's ccaches, though that
> > may comport some minor risk and will force you to run gss-proxy as
> > root.
> >
> >
> > HTH,
> > Simo.
> >
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >



-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to