Hello all,

I see all the bugs that were mentioned have been squashed and fixes have been released.
However the bug #178 is the only one still blocking my issue.

Good news is that a simple workaround gets it to work as desired:

# workaround for bug 178
#  #178 Interaction between httpd and nfs-client changes location of keytab for apache nfs access
# https://pagure.io/gssproxy/issue/178
mkdir -p /var/kerberos/krb5/user/48/
cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/client.keytab
chown apache:apache /var/kerberos/krb5/user/48/client.keytab
chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
systemctl restart gssproxy.service

after applying this the apache client can read the kerberized mount with the keytab file

I've attached a  vagrant script that reproduces this
it will generate a fedora system without the workaround applied
and a script in /root that contains the above mentioned workaround so that it may be easely applied.


2017-04-04 10:22 GMT+02:00 Rob Verduijn <rob.verduijn@gmail.com>:
Ah well,,
At least you got a reproducer for that one as well now :-P


2017-04-03 22:35 GMT+02:00 Simo Sorce <simo@redhat.com>:
On Mon, 2017-04-03 at 21:36 +0200, Rob Verduijn wrote:
> Hello,
> I recreated the reproducer environment and tried it with only the keytab
> relocation
> so I added the following steps:
> mkdir /var/kerberos/krb5/user/48/
> cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/
> client.keytab
> chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
> chown apache:apache /var/kerberos/krb5/user/48/client.keytab
> systemctl restart gssproxy.service
> and the nfs mount is readable by the apache user
> su - apache -s /bin/bash
> ls /test
> example.txt
> [root@fedoraclient ~]# getenforce
> Enforcing
> so I guess we are incorrectly blaming selinux for this,
> but it should be :
> https://pagure.io/gssproxy/issue/178

We definitely reproduced the SeLinux issue.
Both issues are at play here.


Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org
To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org