[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

[Nordgren, Bryce L -FS]

Hi Rob,

How does the NFS server map the apache user to “something” it recognizes? I would suggest that the easiest solution may be to use an IPA account called “apache”, so that the mappings would just work, but currently I’m having trouble running a service as a domain user via systemd. (https://lists.fedorahosted.org/pipermail/sssd-users/2014-September/002194.html)

Beyond that, for kerberized NFS (local or domain user), you’ll need something to keep a fresh ticket on hand, so you may end up running something like k5start, and setting KRB5CCNAME in the environment where you’re running apache.

Bryce

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Rob Verduijn
Sent: Monday, September 15, 2014 9:17 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

Hello,

I've got a webserver whose default export is on a kerberized nfs4 export.


The export works fine for regular ipa users

However the apache user is not allowed to read anything from the export.

What would be the best practice to allow the apache user access to the nfs4 export without switching to sec=sys ?

Cheers
Rob





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140915/d59a05e9/attachment.htm>