3

When Apache httpd attempts to access a user directory automounted with sec=krb5p, and presumably other sec=krb options, gssproxy issues a failure message and the web server replies with 403 Forbidden. The debug option on gssproxy has not been sufficiently illuminating.

To rule out none RPCGSS issues, the 403 is not issued when a valid KRB5CC owned by uidNumber 48 (apache) is present in /tmp, and the web server will display the appropriate page. However, this is due to the behavior of rpc.gssd. gssproxy still issues the same failure message.

gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0, socket: (null)
gssproxy: gssproxy[639]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

# cat /etc/gssproxy/gssproxy.conf 
[gssproxy]

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

[service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

# klist -ke /var/lib/gssproxy/clients/$(id -u apache).keytab
Keytab name: FILE:/var/lib/gssproxy/clients/48.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 apache/www.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 apache/www.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   2 apache/www.example.com@EXAMPLE.COM (camellia256-cts-cmac) 
   2 apache/www.example.com@EXAMPLE.COM (camellia128-cts-cmac)

# cat /etc/systemd/system/gssproxy.service.d/override.conf 
[Service]
ExecStart=
ExecStart=/usr/sbin/gssproxy -D --debug
84104
  • 12,698
  • 6
  • 43
  • 75

1 Answers1

0

I used strace to see that gssproxy was looking for the keytab in /var/kerberos/krb5/user/48/client.keytab. I also needed to set the selinux context:

chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
ls -lZ /var/kerberos/krb5/user/48/client.keytab
-r--------. apache apache unconfined_u:object_r:krb5_keytab_t:s0 /var/kerberos/krb5/user/48/client.keytab

It appears that the HTTP stanza is taking precedence over the nfs-client stanza for UID 48.