-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make it easier to set up Apache httpd as a proxied service and a proxied NFS client #40
base: main
Are you sure you want to change the base?
Conversation
The 80-httpd and 99-network-fs-clients examples might be used together such as an Apache httpd web server that authenticates web clients but is also authenticated itself as an NFS client to access remote content it must serve to web clients. This prevents ticket collisions in the credential caches by making them distinct for these two independent use cases so that they might be used together. Signed-off-by: John Florian <jflorian@doubledog.org>
GSS-Proxy might be used to authenticate web clients to httpd AND also authenticate the apache user running httpd to access networked file systems with Kerberos. Signed-off-by: John Florian <jflorian@doubledog.org>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure I want to change the config snippets by default.
I think we should describe that an admin may want to change the ccache if he intends to use disjoint principals for the http and nfs service configurations (if the same principal is used and just mapped on the nfs server side, this change would not be necessary)
make sure the HTTP stanza preceeds any ```allow_any_uid=yes``` sections.) | ||
make sure the HTTP stanza precedes any ```allow_any_uid=yes``` sections.) | ||
|
||
For the second goal, the proxy will require a keytab for the user principal (apache@REALM). Again, the uid used here is 48, but it must match whatever httpd is running as. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So while this is a valid choice, it is not required. It is as well possible to simply map the HTTP/fqdn principal to an "apache" user on the server for example.
So I think we should rephrase this bit something like "a principal that maps to the correct user on the server", then you can make an example using apache@REALM...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"NFS Server"
I think I follow and see why that would be less involved. Also seems more resilient to the order in which resources become available (booting a micro home data center or even installing rpms that want to conditionally add system users like Once again, thank you for taking the time to educate me. |
Per discussion#39.