[Freeipa-users] Re: Apache HTTPD Service Account Override

2018-07-12 Thread Ryan Slominski via FreeIPA-users
Thanks Simo,

I've got this working now using PHP's shell_exec and a bash script that invokes 
curl directly (as opposed to using libcurl in PHP).  This allows me to clear 
the environment (unset GSS_USE_PROXY).

Here is the final solution for reference:

PHP script now looks like:



Shell script request.sh:

#!/bin/sh
body=$1
tmpfile=$(mktemp)
# Remove GSSPROXY
export -n GSS_USE_PROXY
export KRB5CCNAME=FILE:/$tmpfile
kinit myservice/ipaserver.example.com -k -t /etc/myservice.keytab
/usr/bin/curl -s -H referer:https://ipaserver.example.com/ipa -H 
"Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : 
--cacert /etc/ipa/ca.crt -d "$body" -X POST 
https://ipaserver.example.com/ipa/json
rm "$tmpfile"
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/WFH2RWOGCUPIS3GGD7JCH6KDT5HC7WAZ/


[Freeipa-users] Re: Apache HTTPD Service Account Override

2018-07-12 Thread Simo Sorce via FreeIPA-users
On Thu, 2018-07-12 at 12:02 +, Ryan Slominski via FreeIPA-users
wrote:
> Further investigation suggests this might have something to do with
> gssproxy.   I was expecting to find the HTTP keytab at
> /etc/httpd/conf/ipa.keytab, but now see it is in
> /var/lib/ipa/gssproxy.  This problem only occurs if the PHP script is
> executed by the apache user in the context of the HTTPD web
> server.  Executing the PHP script directly such as "sudo -u apache
> php test.php" works as expected (the myservice principal is used).
> Anyone know why apache user in HTTPD context goes with  HTTP service
> principal despite the script executing kinit with a different
> principal and setting environment variables to try to use the
> alternative principal?

You really shouldn't kinit as the Apache user on an IPA system, unless
you fork/exec and explicitly set KRB5CCNAME so it does not conflict
(and overwrites) the ccaches used by Apache.

In that case you may also want to disable the GSS_USE_PROXY env var in
your subprocess so that gssproxy is not invoked at all.

But in general, do not mess with kerberos and the apache user on an IPA
server is the takeaway.

Simo.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IRSW5NI6HZYA2XIXDXGGI2HPGGTJZGY6/


[Freeipa-users] Re: Apache HTTPD Service Account Override

2018-07-12 Thread Ryan Slominski via FreeIPA-users
Further investigation suggests this might have something to do with gssproxy.   
I was expecting to find the HTTP keytab at /etc/httpd/conf/ipa.keytab, but now 
see it is in /var/lib/ipa/gssproxy.  This problem only occurs if the PHP script 
is executed by the apache user in the context of the HTTPD web server.  
Executing the PHP script directly such as "sudo -u apache php test.php" works 
as expected (the myservice principal is used). Anyone know why apache user in 
HTTPD context goes with  HTTP service principal despite the script executing 
kinit with a different principal and setting environment variables to try to 
use the alternative principal?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/24SWXH67CRAGEMGCRTAPSOGIUH2IOBK3/