Hello Simo,
I have added cred_usage = initiate
[service/apache]
mechs = krb5
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48
cred_store = client_keytab:/etc/gssproxy/httpd.keytab
euid = 48
cred_usage = initiate
I think, we have correct permissions on ~/www/intex.html
$ nfs4_getfacl ~
# file: ~ #### on NFS SHARE
A::OWNER@:rwaDxtTcCy
A::apache@xxxxxx.yyyyyyyy.fr:xtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
755 on www and 644 on index.html
LOGS = LOGS = LOGS
PART I
I have stoped gssproxy.service an started # /usr/sbin/gssproxy -i
--debug-level 9
# /usr/sbin/gssproxy -i --debug-level 9
[2020/10/24 19:43:55]: Debug Enabled (level: 9)
[2020/10/24 19:43:55]: Service: nfs-server, Keytab: /etc/krb5.keytab,
Enctype: 18
[2020/10/24 19:43:55]: Service: apache, Keytab: FILE:/etc/krb5.keytab,
Enctype: 18
[2020/10/24 19:43:55]: Service: nfs-client, Keytab: /etc/krb5.keytab,
Enctype: 18
[2020/10/24 19:43:55]: Failed to get peer's SELinux context
(92:Protocole non disponible) ##### we are not using SELINUX
[2020/10/24 19:43:55]: Client [2020/10/24 19:43:55]:
(/usr/sbin/gssproxy) [2020/10/24 19:43:55]: connected (fd =
13)[2020/10/24 19:43:55]: (pid = 6808) (uid = 0) (gid = 0)[2020/10/24
19:43:55]:
PART II
If i try
http://localhost/~userx/, which terminates with Forbidden You
don't have persmission to access this ressource, i get some more logs
[2020/10/24 19:46:35]: Failed to get peer's SELinux context
(92:Protocole non disponible) ##### we are not using SELINUX
[2020/10/24 19:46:35]: Client [2020/10/24 19:46:35]:
(/usr/sbin/rpc.gssd) [2020/10/24 19:46:35]: connected (fd =
14)[2020/10/24 19:46:35]: (pid = 915) (uid = 48) (gid = 48)[2020/10/24
19:46:35]:
[CID 14][2020/10/24 19:46:35]: [status] Handling query input:
0x56032c4c42d0 (932)
[CID 14][2020/10/24 19:46:35]: Connection matched service apache
[CID 14][2020/10/24 19:46:35]: [status] Processing request
[0x56032c4c42d0 (932)]
[CID 14][2020/10/24 19:46:35]: [status] Executing request 6
(GSSX_ACQUIRE_CRED) from [0x56032c4c42d0 (932)]
[CID 14][2020/10/24 19:46:35]: gp_rpc_execute: executing 6
(GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null)
GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { {
"HTTP/host.xxxxxx.yyyyyyyy.fr(a)XXXXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2
1 } [
410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652
] [
420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000
] [ ] } [ { { "HTTP/host.xxxxxx.yyyyyyyy.fr(a)XXXXXX.YYYYYYYY.FR" { 1 2
840 113554 1 2 2 1 } [
410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652
] [
420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000
] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [
ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff
fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8
] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295
desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE
initiator_time_req: 0 acceptor_time_req: 0 )
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 }
100001 "Unspecified GSS failure. Minor code may provide more
information" "Succès" [ ] } output_cred_handle: <Null> )
[CID 14][2020/10/24 19:46:35]: [status] Returned buffer 6
(GSSX_ACQUIRE_CRED) from [0x56032c4c42d0 (932)]: [0x7f0800001340 (156)]
[CID 14][2020/10/24 19:46:35]: [status] Handling query output:
0x7f0800001340 (156)
[2020/10/24 19:46:35]: [status] Handling query reply: 0x7f0800001340
(156)
[2020/10/24 19:46:35]: [status] Sending data: 0x7f0800001340 (156)
[2020/10/24 19:46:35]: [status] Sending data [0x7f0800001340 (156)]:
successful write of 156
[CID 14][2020/10/24 19:46:35]: [status] Handling query input:
0x56032c4c09f0 (932)
[CID 14][2020/10/24 19:46:35]: Connection matched service apache
[CID 14][2020/10/24 19:46:35]: [status] Processing request
[0x56032c4c09f0 (932)]
[CID 14][2020/10/24 19:46:35]: [status] Executing request 6
(GSSX_ACQUIRE_CRED) from [0x56032c4c09f0 (932)]
[CID 14][2020/10/24 19:46:35]: gp_rpc_execute: executing 6
(GSSX_ACQUIRE_CRED) for service "apache", euid: 48,socket: (null)
GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [ ] } input_cred_handle: { {
"HTTP/host.xxxxxx.yyyyyyyy.fr(a)XXXXXX.YYYYYYYY.FR" { 1 2 840 113554 1 2 2
1 } [
410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652
] [
420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000
] [ ] } [ { { "HTTP/host.xxxxxx.yyyyyyyy.fr(a)XXXXXX.YYYYYYYY.FR" { 1 2
840 113554 1 2 2 1 } [
410b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e4652
] [
420b692affffff8648ffffff86fffffff71212200039485454502f686f73742e646d696167652e70617269736e616e74657272652e667240444d494147452e50415249534e414e54455252452e46520000
] [ ] } { 1 2 840 113554 1 2 2 } INITIATE 86400 0 } ] [
ffffffdbffffff9fffffffdfffffffce5c68602d74ffffffb4fffffff71b775fffffffdb6efffffff41ffffffc9ffffff89fffffff0745078ffffffb0ffffffb36a26ffffffdecfffffff6ffffff9d43493e72ffffff92ffffffda4f4a33f20ffffff88ffffffd8ffffff8dffffffc16d7ffffffa7ffffffdaffffff88ffffffe94cffffffb8ffffffd8233cffffffec1614267fffffffeffffffaaffffffe0ffffff8affffffecffffffaceffffffd4ffffff823c5c311dffffff98ffffff9e6965ffffffd3ffffffd9fffffff0ffffffe1703056ffffffafffffffccffffff91ffffffc51fffffffa3fffffff15dffffffab7752ffffffd42f3bffffff94ffffffcbbffffffe7ffffff8cffffffa0ffffffd23e7b33ffffffd327ffffffa963fffffffbffffffa757d6b6f2238ffffffb4ffffffd164ffffff94ffffff956affffffca6f30ffffffecffffffbb132a7bffffffc779ffffffde7fffffffffffffffc4ffffffbaffffffb924e22ffffffb1ffffffe1ffffffa1416bffffffabffffffcfffffffd34d3ffffffcaffffffca49fffffff0ffffffcc40ffffffba5d556ffffff9c65ffffffd76afffffff316fffffff3ffffffd429ffffffef6323694bffffffca1771ffffffcd647affffff83ffffffd7ffffff84ffffffddffffff98632660634032fffffff7326bfffffffefff
fff9c76ffffffd21fffffffa991520ffffffc460ffffffafffffffd9ffffffcdffffff9cffffffd332ffffff83ffffffb55114ffffffb8ffffffffffffffc9ffffffde48ffffffabffffffd0ffffffaa4b318ffffffe8ffffffc83cffffffa46678ffffff9fffffffe7fffffff8ffffffbbffffffb149ffffffd4ffffff852c4bffffffdf73ffffffc5ffffffcffffffffcffffffa67dfffffff135ffffffd8
] 0 } add_cred: 0 desired_name: <Null> time_req: 4294967295
desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: INITIATE
initiator_time_req: 0 acceptor_time_req: 0 )
GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 }
100001 "Unspecified GSS failure. Minor code may provide more
information" "Succès" [ ] } output_cred_handle: <Null> )
[CID 14][2020/10/24 19:46:35]: [status] Returned buffer 6
(GSSX_ACQUIRE_CRED) from [0x56032c4c09f0 (932)]: [0x7f08000041d0 (156)]
[CID 14][2020/10/24 19:46:35]: [status] Handling query output:
0x7f08000041d0 (156)
[2020/10/24 19:46:35]: [status] Handling query reply: 0x7f08000041d0
(156)
[2020/10/24 19:46:35]: [status] Sending data: 0x7f08000041d0 (156)
[2020/10/24 19:46:35]: [status] Sending data [0x7f08000041d0 (156)]:
successful write of 156
END OF LOGS
The file /var/lib/gssproxy/clients/krb5cc_48 is not created
(This why i try to do it whith sudo ; a realy bad solution probabably)
Best.
Le 2020-10-13 23:27, Simo Sorce a écrit :
> Hello,
> it is not clear to me what is the hold up.
>
> Gssproxy can allow you to automatically use a keytab to gain
> credentials that then can be used to access a remote NFS server.
>
> Of course the remote NFS server needs to recognize "apache" as a valid
> user as well that does have access to user directories for read.
>
> Unfortunately without logs I cannot tell what is wrong.
> I think you should add at least cred_usage = initiate to your
> configuration.
>
> Please provide logs with errors if you need more help.
>
> Simo.
>
> On Mon, 2020-10-12 at 01:20 +0200, daudel(a)daudel.com wrote:
>> Hello,
>> I am in a student context and we use FreeIPA. The station type is
>> fedora
>> 31.
>> All profiles (home directories) are stored on an NFS kerberised
>> crypted
>> share.
>> Students have personnal web pages on the NFS share with
>> ~student_name1,
>> ~student_name2, ...
>>
>> The local httpd needs a TGT somwhere and i suppose, gssproxy is the
>> good
>> approach.
>>
>> I have try a lot of things with gssproxy to allow local httpd tu
>> access
>> the pages with no real success.
>> Here is "the best" i had, but it's not very usable.
>> I suppose, it existes a nicer way ?
>>
>> Merci beaucoup
>>
>> The file is for automatic deployment : gssproxy part + sudo part for
>> students
>> I did a setup of un ipa account apache 48/48
>>
>> #!/usr/bin/bash
>>
>> kinit_admin(){
>> kinit admin <<EOF
>> xxxxxxx
>> EOF
>>
>> }
>> apache_nfs(){
>>
>> # A - gssproxy part
>>
>>
>> kinit_admin
>> rm -f /etc/gssproxy/httpd.keytab
>> ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf
>> )
>> -k /etc/gssproxy/httpd.keytab -p apache(a)MYDOMAIN.FR
>> kdestroy
>>
>>
>> #
>> # 80-httpd.conf
>> #
>> cat >/etc/gssproxy/80-httpd.conf <<ESC
>> [service/apache]
>> mechs = krb5
>> cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48
>> cred_store = client_keytab:/etc/gssproxy/httpd.keytab
>> euid = 48
>> ESC
>>
>>
>> mkdir /etc/systemd/system/httpd.service.d
>> cat >/etc/systemd/system/httpd.service.d/48-httpd.conf <<ESC
>> [Service]
>> Environment=GSS_USE_PROXY=1
>> ESC
>> /usr/bin/systemctl daemon-reload
>> /usr/bin/systemctl restart httpd
>>
>> # B - sudo part
>> #
>> # sudo script gsproxy.sh in /usr/bin
>> #
>> cat >/usr/bin/gsproxy.sh <<ESC
>> /usr/bin/kinit \$(/usr/bin/logname)
>> if [ \$? -gt 0 ] ; then
>> /usr/bin/echo "Password error"
>> /usr/bin/echo "Restart sudo"
>> exit 1
>> fi
>>
>> /usr/bin/kdestroy -c /var/lib/gssproxy/clients/krb5cc_48
>> /usr/bin/kinit -k -t /etc/gssproxy/httpd.keytab -c
>> /var/lib/gssproxy/clients/krb5cc_48 -p apache(a)MYDOMAIN.FR
>> /usr/bin/kdestroy
>> ESC
>>
>> #
>> # sudo file
>> #
>> echo '%utilisateurs ALL = /usr/bin/gsproxy.sh'
>> >/etc/sudoers.d/gsproxy
>> chmod +x /usr/bin/gsproxy.sh
>>
>> }
>> _______________________________________________
>> gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
>> To unsubscribe send an email to gss-proxy-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted...