On Sat, 20 Sep 2014 16:53:48 +0200 Rob Verduijn <[email protected]> wrote:
> Hello all, > > I've managed to get the gssproxy to work on my installation. > I can now mount my apache document root using sec=krb5p and apache > automagically mounts the share when needed. > > However I noticed that now all nfs credentials are going through > gssproxy. Is there a way to disable this for regular users (or only > enable it for apache) > > Below is the gssproxy.conf I used I assume you mean that gssproxy is used for all users when rpc.gssd is used ? You cannot pick and choose this way, but gss-proxy can be configured to user regular user's caches so that it preserve proper authorization for access. > Cheers > Rob > > > > [gssproxy] > > [service/nfs-client] > mechs = krb5 > cred_store = keytab:/etc/krb5.keytab > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U > cred_store = client_keytab:/etc/gssproxy/%U.keytab > cred_usage = initiate > allow_any_uid = yes > trusted = yes > euid = 0 You do not need allow_any_uid in your case as rpc.gssd always runs as root. You can also remove the keytab:/etc/krb5.keytab option as you are only going to initiate with explicit client keytabs. If you only have the apache keytab in /etc/gssproxy then for any other user will fall back to local resolution. You may also experiment with setting ccache to the default for your system so that gss-proxy can find actual user's ccaches, though that may comport some minor risk and will force you to run gss-proxy as root. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
