When Apache httpd attempts to access a user directory automounted with sec=krb5p, and presumably other sec=krb options, gssproxy issues a failure message and the web server replies with 403 Forbidden. The debug option on gssproxy has not been sufficiently illuminating.
To rule out none RPCGSS issues, the 403 is not issued when a valid KRB5CC owned by uidNumber 48 (apache) is present in /tmp, and the web server will display the appropriate page. However, this is due to the behavior of rpc.gssd. gssproxy still issues the same failure message.
gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0, socket: (null)
gssproxy: gssproxy[639]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
# cat /etc/gssproxy/gssproxy.conf
[gssproxy]
[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = 48
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
# klist -ke /var/lib/gssproxy/clients/$(id -u apache).keytab
Keytab name: FILE:/var/lib/gssproxy/clients/48.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 apache/www.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 apache/www.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 apache/www.example.com@EXAMPLE.COM (camellia256-cts-cmac)
2 apache/www.example.com@EXAMPLE.COM (camellia128-cts-cmac)
# cat /etc/systemd/system/gssproxy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/sbin/gssproxy -D --debug
