On Sat, 20 Sep 2014 11:38:16 -0500 Anthony Messina <[email protected]> wrote:
> On Saturday, September 20, 2014 12:15:04 PM Simo Sorce wrote: > > > [service/nfs-client] > > > > > > mechs = krb5 > > > cred_store = keytab:/etc/krb5.keytab > > > cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U > > > cred_store = client_keytab:/etc/gssproxy/%U.keytab > > > cred_usage = initiate > > > allow_any_uid = yes > > > trusted = yes > > > euid = 0 > > > > You do not need allow_any_uid in your case as rpc.gssd always runs > > as root. > > > > You can also remove the keytab:/etc/krb5.keytab option as you are > > only going to initiate with explicit client keytabs. > > > > If you only have the apache keytab in /etc/gssproxy then for any > > other user will fall back to local resolution. > > > > You may also experiment with setting ccache to the default for your > > system so that gss-proxy can find actual user's ccaches, though that > > may comport some minor risk and will force you to run gss-proxy as > > root. > > Simo, Rob's [service/nfs-client] configuration looks identical to > mine, which appears to be the default, at least in Fedora 20: > > https://git.fedorahosted.org/cgit/gss-proxy.git/tree/proxy/examples/gssproxy.conf.in Oh it is and I forgot why we put allow_any_uid in, it's because now rpc.gssd drops privileges before checking ccaches ... doh, I had forgotten. I wonder if we should remove the keytab from the default configuration though ... Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
