subject:"\[Freeipa\-users\] Apache, autofs and userdir"

Re: [Freeipa-users] Apache, autofs and userdir

2012-09-26 Thread James James

Thanks I'll try that and will give you a feedback as soon as possible.



2012/9/26 Anthony Messina 

> On Wednesday, September 26, 2012 12:21:14 AM James James wrote:
> > I have  :
> >
> > - a freeipa server + autofs maps
> > - a nfsv4 server
> > - a web server
> >
> > from the webserver I can mount my nfs4 exported home dir. Everything
> works
> > well.
> >
> > I want to acces to my public_html directory from the web server. From my
> > browser, when I try to reach http://myweserver/~user, I've got 403
> > Forbidden and the logs give me :
> >
> > Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> > context for user with uid 48 for server nfs-server.example.com Sep 25
> > 23:18:21 web-server rpc.gssd[4522]: doing error downcall
> > Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
> > (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server
> > rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48
> > enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]:
> > handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21
> > web-server rpc.gssd[4522]: process_krb5_upcall: service is '' Sep
> 25
> > 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with
> uid
> > 48 for server nfs-server.example.com Sep 25 23:18:21 web-server
> > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered,
> > with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server
> > rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by
> 797200160,
> > not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
> > being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21
> > web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep
> > 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> > context for user with uid 48 for server nfs-server.example.com
> >
> >
> > Apache user id is 48.
>
> You don't say what system you're using, but for Fedora 16 and 17 (with
> systemd), you can use something like the following in
> /etc/systemd/system/httpd.service:
>
> .include /usr/lib/systemd/system/httpd.service
> [Unit]
> Requires=network.target
> After=network.target
>
> [Service]
> Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab
> Environment=KRB5CCNAME=/tmp/krb5cc_48
> ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ;
> /usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t
> ${KRB5CCNAME}
> PrivateTmp=false
>
>
>
> And you'll need to add a cron job similar to:
> 5 */8 * * * apache  /usr/bin/kinit -R ; chcon -t user_tmp_t
> /tmp/krb5cc_48
>
>
> Of course, this may all change when Fedora 18 comes out with it's shiny new
> way of handling credentials.
>
>
> --
> Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
> 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Apache, autofs and userdir

2012-09-26 Thread Anthony Messina

On Wednesday, September 26, 2012 12:21:14 AM James James wrote:
> I have  :
> 
> - a freeipa server + autofs maps
> - a nfsv4 server
> - a web server
> 
> from the webserver I can mount my nfs4 exported home dir. Everything works
> well.
> 
> I want to acces to my public_html directory from the web server. From my
> browser, when I try to reach http://myweserver/~user, I've got 403
> Forbidden and the logs give me :
> 
> Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> context for user with uid 48 for server nfs-server.example.com Sep 25
> 23:18:21 web-server rpc.gssd[4522]: doing error downcall
> Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
> (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21 web-server
> rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5 uid=48
> enctypes=18,17,16,23,3,1,2 ' Sep 25 23:18:21 web-server rpc.gssd[4522]:
> handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnte2) Sep 25 23:18:21
> web-server rpc.gssd[4522]: process_krb5_upcall: service is '' Sep 25
> 23:18:21 web-server rpc.gssd[4522]: getting credentials for client with uid
> 48 for server nfs-server.example.com Sep 25 23:18:21 web-server
> rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' being considered,
> with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21 web-server
> rpc.gssd[4522]: CC file '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160,
> not 48 Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
> being considered, with preferred realm 'EXAMPLE.COM' Sep 25 23:18:21
> web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by 0, not 48 Sep
> 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
> context for user with uid 48 for server nfs-server.example.com
> 
> 
> Apache user id is 48.

You don't say what system you're using, but for Fedora 16 and 17 (with 
systemd), you can use something like the following in  
/etc/systemd/system/httpd.service:

.include /usr/lib/systemd/system/httpd.service
[Unit]
Requires=network.target
After=network.target

[Service]
Environment=KRB5_KTNAME=/etc/httpd/conf/apache.keytab
Environment=KRB5CCNAME=/tmp/krb5cc_48
ExecStartPre=/usr/bin/kinit -r 604800s -k -t ${KRB5_KTNAME} apache ; 
/usr/bin/chown apache:apache ${KRB5CCNAME} ; /usr/bin/chcon -t user_tmp_t 
${KRB5CCNAME}
PrivateTmp=false



And you'll need to add a cron job similar to:
5 */8 * * * apache  /usr/bin/kinit -R ; chcon -t user_tmp_t 
/tmp/krb5cc_48


Of course, this may all change when Fedora 18 comes out with it's shiny new 
way of handling credentials.


-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E


signature.asc
Description: This is a digitally signed message part.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Apache, autofs and userdir

2012-09-25 Thread Sigbjorn Lie


On 09/26/2012 12:21 AM, James James wrote:
Hi, I don't know if this is the right place to ask this question but I 
will try.


I have  :

- a freeipa server + autofs maps
- a nfsv4 server
- a web server

from the webserver I can mount my nfs4 exported home dir. Everything 
works well.


I want to acces to my public_html directory from the web server. From 
my browser, when I try to reach http://myweserver/~user 
, I've got 403 Forbidden and the logs give 
me :


Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create 
krb5 context for user with uid 48 for server nfs-server.example.com 


Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 
'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 '
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: 
service is ''
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for 
client with uid 48 for server nfs-server.example.com 

Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file 
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm 
'EXAMPLE.COM '
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file 
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' 
being considered, with preferred realm 'EXAMPLE.COM '
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' 
owned by 0, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create 
krb5 context for user with uid 48 for server nfs-server.example.com 




Apache user id is 48.

Thanks for any help.

James


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



Are you using nfs4 + krb5 as auth for your home directories?

If so, what it's telling you is that it's unable to retreive kerberos 
credentials for the apache user (uid 48). I believe you have to create a 
user account for apache in IPA, initiate credentials for this user (and 
renew them when they expire), and set the KRB5CCNAME environment 
variable to point to the credendials cache in the startup script for 
httpd. A cronjob or similar would be required to keep renewing the 
credentials, I have not looked into this myself yet so I cannot give 
exact feedback for this.


Make sure the IPA user account that you provide credentials for have 
access to read the users public_html directory and list the users home 
directory.


Let me know how you get on. I haven't tested this myself yet but it's 
been on my mind.



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Apache, autofs and userdir

2012-09-25 Thread James James

Hi, I don't know if this is the right place to ask this question but I will
try.

I have  :

- a freeipa server + autofs maps
- a nfsv4 server
- a web server

from the webserver I can mount my nfs4 exported home dir. Everything works
well.

I want to acces to my public_html directory from the web server. From my
browser, when I try to reach http://myweserver/~user, I've got 403
Forbidden and the logs give me :

Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
context for user with uid 48 for server nfs-server.example.com
Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5
uid=48 enctypes=18,17,16,23,3,1,2 '
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: service is
''
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for client
with uid 48 for server nfs-server.example.com
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm '
EXAMPLE.COM'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' being
considered, with preferred realm 'EXAMPLE.COM'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by
0, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
context for user with uid 48 for server nfs-server.example.com


Apache user id is 48.

Thanks for any help.

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Apache, autofs and userdir

Re: [Freeipa-users] Apache, autofs and userdir

Re: [Freeipa-users] Apache, autofs and userdir

[Freeipa-users] Apache, autofs and userdir

4 matches

Site Navigation

Mail list logo

Footer information