Hello all, I've managed to get the gssproxy to work on my installation. I can now mount my apache document root using sec=krb5p and apache automagically mounts the share when needed.
However I noticed that now all nfs credentials are going through gssproxy. Is there a way to disable this for regular users (or only enable it for apache) Below is the gssproxy.conf I used Cheers Rob [gssproxy] [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/etc/gssproxy/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 2014-09-17 9:15 GMT+02:00 Rob Verduijn <[email protected]>: > > > 2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS <[email protected]>: > > >> > Also opened https://fedorahosted.org/freeipa/ticket/4544 >> >> Tried to summarize this thread on that ticket. >> >> Back to the OP's concern, whenever I use NFS as a documentroot for apache >> (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys, >> set "all-squash", and specify the webserver's IP. It's not like individual >> user accounts need a presence on the filesystem. Do you need encryption for >> your application or is apache just going to spray the content out across >> the commodity internet via un-encrypted http? >> >> Bryce >> >> >> >> >> >> >> This electronic message contains information generated by the USDA solely >> for the intended recipients. Any unauthorized interception of this message >> or the use or disclosure of the information it contains may violate the law >> and subject the violator to civil or criminal penalties. If you believe you >> have received this message in error, please notify the sender and delete >> the email immediately. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > Hello, > > I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys) > It's not sensitive data and it's also internal, so it will do fine for now > as a workaround. > But there is going to be a situation that apache requires access to a > document root containing sensitive data, in that case I would prefer a more > secure method. > > I've been reading up a little on the gss-proxy, which would be the > prefered way on the obtaining of the credentials from a keytab. > Have gss-proxy do it or have gss-proxy use s4u2proxy to fetch the keytab > ? (which might also solve some of my ssh anoyances but that's a bit off > topic) > > Rob Verduijn > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
