Hello all,
I see all the bugs that were mentioned have been squashed and fixes have been released. However the bug #178 is the only one still blocking my issue. https://pagure.io/gssproxy/issue/178
Good news is that a simple workaround gets it to work as desired: https://serverfault.com/questions/775068/gssproxy- apache-httpd-as-nfs-client-centos7
#!/bin/bash # workaround for bug 178 # #178 Interaction between httpd and nfs-client changes location of keytab for apache nfs access # https://pagure.io/gssproxy/issue/178 mkdir -p /var/kerberos/krb5/user/48/ cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/cli ent.keytab chown apache:apache /var/kerberos/krb5/user/48/client.keytab chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab systemctl restart gssproxy.service
after applying this the apache client can read the kerberized mount with the keytab file
I've attached a vagrant script that reproduces this it will generate a fedora system without the workaround applied and a script in /root that contains the above mentioned workaround so that it may be easely applied.
Cheers Rob
2017-04-04 10:22 GMT+02:00 Rob Verduijn rob.verduijn@gmail.com:
Ah well,, At least you got a reproducer for that one as well now :-P
Rob
2017-04-03 22:35 GMT+02:00 Simo Sorce simo@redhat.com:
On Mon, 2017-04-03 at 21:36 +0200, Rob Verduijn wrote:
Hello,
I recreated the reproducer environment and tried it with only the keytab relocation so I added the following steps: mkdir /var/kerberos/krb5/user/48/ cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/ client.keytab chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab chown apache:apache /var/kerberos/krb5/user/48/client.keytab systemctl restart gssproxy.service
and the nfs mount is readable by the apache user su - apache -s /bin/bash ls /test example.txt
[root@fedoraclient ~]# getenforce Enforcing
so I guess we are incorrectly blaming selinux for this, but it should be : https://pagure.io/gssproxy/issue/178
We definitely reproduced the SeLinux issue. Both issues are at play here.
Simo.
-- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org