On Sun, 2017-01-01 at 20:37 +0100, Rob Verduijn wrote:
> 2016-12-30 21:26 GMT+01:00 Lukas Slebodnik <lslebodn(a)redhat.com>:
>
> > On (30/12/16 18:25), Rob Verduijn wrote:
> > >Hello,
> > >
> > >I've been struggling for some days on fedora25 to get gssproxy to
work.
> > >
> > >After a long time I decided to try this on centos73 to see if I was
doing
> > >it wrong.
> > >
> > >After a minimal install and joining it to the ipa domain the gssproxy
was
> > >working flawless.
> > >
> > >After checking for the oompthied time for typos and possible kvno
errors
> > in
> > >the keytabs I can say that the configuration that works flawlessly on
> > >centos73 does not work on fedora25.
> > >
> > >I first wondered if autofs and gssproxy wouldn't play nice together,
but
> > it
> > >seems
> > >I have been fighting this bug on centos73 and fedora24/25:
> > >https://fedorahosted.org/sssd/ticket/3080
> > >Any idea when the fix will be released ?
> > >
> > The patch has not beed pushed to upstream yet.
> >
> > But the workaround should be very simple.
> > sh# systemctl restart autofs.service
> >
> > I let answer rest for others.
> >
> > LS
> > _______________________________________________
> > gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
> > To unsubscribe send an email to gss-proxy-leave(a)lists.fedorahosted.org
>
>
> Hi,
>
> gssproxy also does not work on fedora24.
> Is there a new way of configuring gssproxy ?
>
> I used the example for apache from this page :
>
https://fedorahosted.org/gss-proxy/wiki/Apache
>
> On centos73 I did:
>
> ipa service-add HTTP/server-name(a)LOCAL.DOMAIN
>
> installed the keytab in /etc/gssproxy/http.keytab
>
> and edited the file /etc/gssproxy/gssproxy.conf
> [gssproxy]
>
> [service/HTTP]
> mechs = krb5
> cred_store = keytab:/etc/gssproxy/http.keytab
> cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
> euid = 48
>
> reboot and mounted the kerberized nfs4 share
>
> did a su - apache -s /bin/bash
>
> and the apache user could read the kerberized nfs4 share
>
> I tried exactly the same on fedora 24 and 25, and on both it failed.
Does it work for you if you add
cred_store = client_keytab:/etc/gssproxy/http.keytab
?
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
gss-proxy mailing list -- gss-proxy(a)lists.fedorahosted.org
To unsubscribe send an email to gss-proxy-leave(a)lists.fedorahosted.org
Nope that does not work on either fc24 or fc25.
I did not try centos73 since it already worked on that one.
Rob Verduijn