My CentOS 7.2 server:
* Enrolled IPA client
* Automount configured with NFSv4 krb5 mount for user home directories.
Everything works. IPA users can login and their home directory would automatically be
mounted.
Now, I am trying to configure the server's Apache to expose certain users' home
directory for web. To do this, I followed
https://fedorahosted.org/gss-proxy/wiki/NFS to configure gssproxy (no impersonation).
And this works... for awhile. After idling awhile, Apache would report no permission, and
gssproxy debug message would show:
gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service
"nfs-client", euid: 0, socket: (null)
gssproxy: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
"nfs-client", euid: 0, socket: (null)
What I don't understand is why is it using service "nfs-client"?
Shouldn't it be using service "apache", which is set above the section for
"nfs-client" in gssproxy.conf? I say this because if I restart gssproxy, Apache
would work again, and the debug message would show (as expected):
gssproxy: Client connected (fd = 12) (pid = 3158) (uid = 48) (gid = 48) (context =
system_u:system_r:gssd_t:s0)
gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "apache",
euid: 48, socket: (null)
gssproxy: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
"apache", euid: 48, socket: (null)
gssproxy: gp_rpc_execute: executing 8 (GSSX_INIT_SEC_CONTEXT) for service
"apache", euid: 48, socket: (null)
But after idling awhile, Apache would again stop working and gssproxy debug messages would
show it's using "nfs-client" again.
So why is it not using service "apache" all the time and instead falls back to
"nfs-client"?