[Freeipa-users] Re: Apache HTTPD Service Account Override
Thanks Simo, I've got this working now using PHP's shell_exec and a bash script that invokes curl directly (as opposed to using libcurl in PHP). This allows me to clear the environment (unset GSS_USE_PROXY). Here is the final solution for reference: PHP script now looks like: Shell script request.sh: #!/bin/sh body=$1 tmpfile=$(mktemp) # Remove GSSPROXY export -n GSS_USE_PROXY export KRB5CCNAME=FILE:/$tmpfile kinit myservice/ipaserver.example.com -k -t /etc/myservice.keytab /usr/bin/curl -s -H referer:https://ipaserver.example.com/ipa -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d "$body" -X POST https://ipaserver.example.com/ipa/json rm "$tmpfile" ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WFH2RWOGCUPIS3GGD7JCH6KDT5HC7WAZ/
[Freeipa-users] Re: Apache HTTPD Service Account Override
On Thu, 2018-07-12 at 12:02 +, Ryan Slominski via FreeIPA-users wrote: > Further investigation suggests this might have something to do with > gssproxy. I was expecting to find the HTTP keytab at > /etc/httpd/conf/ipa.keytab, but now see it is in > /var/lib/ipa/gssproxy. This problem only occurs if the PHP script is > executed by the apache user in the context of the HTTPD web > server. Executing the PHP script directly such as "sudo -u apache > php test.php" works as expected (the myservice principal is used). > Anyone know why apache user in HTTPD context goes with HTTP service > principal despite the script executing kinit with a different > principal and setting environment variables to try to use the > alternative principal? You really shouldn't kinit as the Apache user on an IPA system, unless you fork/exec and explicitly set KRB5CCNAME so it does not conflict (and overwrites) the ccaches used by Apache. In that case you may also want to disable the GSS_USE_PROXY env var in your subprocess so that gssproxy is not invoked at all. But in general, do not mess with kerberos and the apache user on an IPA server is the takeaway. Simo. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IRSW5NI6HZYA2XIXDXGGI2HPGGTJZGY6/
[Freeipa-users] Re: Apache HTTPD Service Account Override
Further investigation suggests this might have something to do with gssproxy. I was expecting to find the HTTP keytab at /etc/httpd/conf/ipa.keytab, but now see it is in /var/lib/ipa/gssproxy. This problem only occurs if the PHP script is executed by the apache user in the context of the HTTPD web server. Executing the PHP script directly such as "sudo -u apache php test.php" works as expected (the myservice principal is used). Anyone know why apache user in HTTPD context goes with HTTP service principal despite the script executing kinit with a different principal and setting environment variables to try to use the alternative principal? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/24SWXH67CRAGEMGCRTAPSOGIUH2IOBK3/