[Freeipa-users] Apache, autofs and userdir

Sigbjorn Lie sigbjorn at nixtra.com
Tue Sep 25 22:40:06 UTC 2012 

On 09/26/2012 12:21 AM, James James wrote:
> Hi, I don't know if this is the right place to ask this question but I 
> will try.
>
> I have  :
>
> - a freeipa server + autofs maps
> - a nfsv4 server
> - a web server
>
> from the webserver I can mount my nfs4 exported home dir. Everything 
> works well.
>
> I want to acces to my public_html directory from the web server. From 
> my browser, when I try to reach http://myweserver/~user 
> <http://myweserver/%7Euser>, I've got 403 Forbidden and the logs give 
> me :
>
> Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create 
> krb5 context for user with uid 48 for server nfs-server.example.com 
> <http://nfs-server.example.com>
> Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
> Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall 
> (/var/lib/nfs/rpc_pipefs/nfs/clnte2)
> Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 
> 'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 '
> Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall 
> (/var/lib/nfs/rpc_pipefs/nfs/clnte2)
> Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: 
> service is '<null>'
> Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for 
> client with uid 48 for server nfs-server.example.com 
> <http://nfs-server.example.com>
> Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file 
> '/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm 
> 'EXAMPLE.COM <http://EXAMPLE.COM>'
> Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file 
> '/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
> Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' 
> being considered, with preferred realm 'EXAMPLE.COM <http://EXAMPLE.COM>'
> Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' 
> owned by 0, not 48
> Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create 
> krb5 context for user with uid 48 for server nfs-server.example.com 
> <http://nfs-server.example.com>
>
>
> Apache user id is 48.
>
> Thanks for any help.
>
> James
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Are you using nfs4 + krb5 as auth for your home directories?

If so, what it's telling you is that it's unable to retreive kerberos 
credentials for the apache user (uid 48). I believe you have to create a 
user account for apache in IPA, initiate credentials for this user (and 
renew them when they expire), and set the KRB5CCNAME environment 
variable to point to the credendials cache in the startup script for 
httpd. A cronjob or similar would be required to keep renewing the 
credentials, I have not looked into this myself yet so I cannot give 
exact feedback for this.

Make sure the IPA user account that you provide credentials for have 
access to read the users public_html directory and list the users home 
directory.

Let me know how you get on. I haven't tested this myself yet but it's 
been on my mind.


Regards,
Siggi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120926/8735503c/attachment.htm>

More information about the Freeipa-users mailing list