Hello all,

I see all the bugs that were mentioned have been squashed and fixes have been released.

However the bug #178 is the only one still blocking my issue.
https://pagure.io/gssproxy/issue/178

Good news is that a simple workaround gets it to work as desired:
https://serverfault.com/questions/775068/gssproxy-apache-httpd-as-nfs-client-centos7

#!/bin/bash
# workaround for bug 178
# #178 Interaction between httpd and nfs-client changes location of keytab for apache nfs access
# https://pagure.io/gssproxy/issue/178
mkdir -p /var/kerberos/krb5/user/48/
cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/client.keytab
chown apache:apache /var/kerberos/krb5/user/48/client.keytab
chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
systemctl restart gssproxy.service

after applying this the apache client can read the kerberized mount with the keytab file

I've attached a vagrant script that reproduces this

it will generate a fedora system without the workaround applied
and a script in /root that contains the above mentioned workaround so that it may be easely applied.

Cheers

Rob

2017-04-04 10:22 GMT+02:00 Rob Verduijn <rob.verduijn@gmail.com>:

Ah well,,
At least you got a reproducer for that one as well now :-P

Rob

2017-04-03 22:35 GMT+02:00 Simo Sorce <simo@redhat.com>:
On Mon, 2017-04-03 at 21:36 +0200, Rob Verduijn wrote:
> Hello,
>
> I recreated the reproducer environment and tried it with only the keytab
> relocation
> so I added the following steps:
> mkdir /var/kerberos/krb5/user/48/
> cp /var/lib/gssproxy/clients/httpd.keytab /var/kerberos/krb5/user/48/
> client.keytab
> chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
> chown apache:apache /var/kerberos/krb5/user/48/client.keytab
> systemctl restart gssproxy.service
>
>
> and the nfs mount is readable by the apache user
> su - apache -s /bin/bash
> ls /test
> example.txt
>
> [root@fedoraclient ~]# getenforce
> Enforcing
>
> so I guess we are incorrectly blaming selinux for this,
> but it should be :
> https://pagure.io/gssproxy/issue/178

We definitely reproduced the SeLinux issue.
Both issues are at play here.

Simo.

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

_______________________________________________
gss-proxy mailing list -- gss-proxy@lists.fedorahosted.org
To unsubscribe send an email to gss-proxy-leave@lists.fedorahosted.org