gssproxy:apache httpd作为nfs-client? centos7

当Apache httpd尝试访问使用sec=krb5p自动挂载的用户目录(可能还有其他sec=krb选项)时, gssproxy发出失败消息,Web服务器使用403 Forbidden答复。 gssproxy上的debugging选项没有足够的照亮。

要排除没有RPCGSS问题,在/ tmp中存在由uidNumber 48(apache)拥有的有效KRB5CC时,不会发出403 ,Web服务器将显示相应的页面。 但是,这是由于rpc.gssd的行为。 gssproxy仍然发出相同的失败消息。

 gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0, socket: (null) gssproxy: gssproxy[639]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found # cat /etc/gssproxy/gssproxy.conf [gssproxy] [service/HTTP] mechs = krb5 cred_store = keytab:/etc/gssproxy/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = 48 [service/nfs-server] mechs = krb5 socket = /run/gssproxy.sock cred_store = keytab:/etc/krb5.keytab trusted = yes kernel_nfsd = yes euid = 0 [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 # klist -ke /var/lib/gssproxy/clients/$(id -u apache).keytab Keytab name: FILE:/var/lib/gssproxy/clients/48.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 apache/www.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 apache/www.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 apache/www.example.com@EXAMPLE.COM (camellia256-cts-cmac) 2 apache/www.example.com@EXAMPLE.COM (camellia128-cts-cmac) # cat /etc/systemd/system/gssproxy.service.d/override.conf [Service] ExecStart= ExecStart=/usr/sbin/gssproxy -D --debug 

我用strace看到gssproxy正在寻找/var/kerberos/krb5/user/48/client.keytab中的keytab。 我还需要设置selinux上下文:

 chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab ls -lZ /var/kerberos/krb5/user/48/client.keytab -r--------. apache apache unconfined_u:object_r:krb5_keytab_t:s0 /var/kerberos/krb5/user/48/client.keytab 

看起来,HTTP节优先于UID 48的nfs-client节。