- Notifications
You must be signed in to change notification settings - Fork29
Make it easier to set up Apache httpd as a proxied service and a proxied NFS client#40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
The 80-httpd and 99-network-fs-clients examples might be used togethersuch as an Apache httpd web server that authenticates web clients but isalso authenticated itself as an NFS client to access remote content itmust serve to web clients.This prevents ticket collisions in the credential caches by making themdistinct for these two independent use cases so that they might be usedtogether.Signed-off-by: John Florian <jflorian@doubledog.org>
GSS-Proxy might be used to authenticate web clients to httpd AND alsoauthenticate the apache user running httpd to access networked filesystems with Kerberos.Signed-off-by: John Florian <jflorian@doubledog.org>
simo5 left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I am not sure I want to change the config snippets by default.
I think we should describe that an adminmay want to change the ccache if he intends to use disjoint principals for the http and nfs service configurations (if the same principal is used and just mapped on the nfs server side, this change would not be necessary)
| make sure the HTTP stanza preceeds any```allow_any_uid=yes``` sections.) | ||
| make sure the HTTP stanza precedes any```allow_any_uid=yes``` sections.) | ||
| For the second goal, the proxy will require a keytab for the user principal (apache@REALM). Again, the uid used here is 48, but it must match whatever httpd is running as. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
So while this is a valid choice, it is not required. It is as well possible to simply map the HTTP/fqdn principal to an "apache" user on the server for example.
So I think we should rephrase this bit something like "a principal that maps to the correct user on the server", then you can make an example using apache@REALM...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
"NFS Server"
jflorian commentedFeb 1, 2022
I think I follow and see why that would be less involved. Also seems more resilient to the order in which resources become available (booting a micro home data center or even installing rpms that want to conditionally add system users like Once again, thank you for taking the time to educate me. |
Per discussion#39.