Hi there,
I'm trying to make Apache to access a kerberized document root on CentOS
7 using gssproxy. So far without success. On the web server machine
(=NFS client) I configured a gss-proxy config file:
# cat /etc/gssproxy/99-nfs-client.conf
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
In addition to this I set up a credentials cache
/var/lib/gssproxy/clients/krb5cc_<httpd uid>
The Apache user is managed using FreeIPA and is a member of the exported
directory's group that shall be used as document root, hence it should
have access permissions to the directory and kinit for "apache" shows no
ticket.
However, when I "su -s /bin/bash apache" and try to access the
NFS-mounted directory, I get permission denied (even with SELinux
temporarily disabled).
Right now, I do not see how I can proceed and there's not much meat on
the Google-bone for this specific topic. Can someone here point me into
the right direction?
* Is the config outlined the correct way to achieve what I want to do?
* Is there a way to debug the issue I'm furrently facing?
Best,
Ray
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
