On 09/26/2012 12:21 AM, James James wrote:
Hi, I don't know if this is the right place to ask this question but I
will try.
I have :
- a freeipa server + autofs maps
- a nfsv4 server
- a web server
from the webserver I can mount my nfs4 exported home dir. Everything
works well.
I want to acces to my public_html directory from the web server. From
my browser, when I try to reach http://myweserver/~user
<http://myweserver/%7Euser>, I've got 403 Forbidden and the logs give
me :
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create
krb5 context for user with uid 48 for server nfs-server.example.com
<http://nfs-server.example.com>
Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall:
'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 '
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall:
service is '<null>'
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for
client with uid 48 for server nfs-server.example.com
<http://nfs-server.example.com>
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm
'EXAMPLE.COM <http://EXAMPLE.COM>'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
being considered, with preferred realm 'EXAMPLE.COM <http://EXAMPLE.COM>'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0'
owned by 0, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create
krb5 context for user with uid 48 for server nfs-server.example.com
<http://nfs-server.example.com>
Apache user id is 48.
Thanks for any help.
James
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Are you using nfs4 + krb5 as auth for your home directories?
If so, what it's telling you is that it's unable to retreive kerberos
credentials for the apache user (uid 48). I believe you have to create a
user account for apache in IPA, initiate credentials for this user (and
renew them when they expire), and set the KRB5CCNAME environment
variable to point to the credendials cache in the startup script for
httpd. A cronjob or similar would be required to keep renewing the
credentials, I have not looked into this myself yet so I cannot give
exact feedback for this.
Make sure the IPA user account that you provide credentials for have
access to read the users public_html directory and list the users home
directory.
Let me know how you get on. I haven't tested this myself yet but it's
been on my mind.
Regards,
Siggi
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
