When Apache httpd attempts to access a user directory automounted with sec=krb5p
, and presumably other sec=krb
options, gssproxy
issues a failure message and the web server replies with 403 Forbidden
. The debug option on gssproxy has not been sufficiently illuminating.
To rule out none RPCGSS
issues, the 403
is not issued when a valid KRB5CC
owned by uidNumber 48 (apache) is present in /tmp, and the web server will display the appropriate page. However, this is due to the behavior of rpc.gssd
. gssproxy
still issues the same failure message.
gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0, socket: (null)
gssproxy: gssproxy[639]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
# cat /etc/gssproxy/gssproxy.conf
[gssproxy]
[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = 48
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
# klist -ke /var/lib/gssproxy/clients/$(id -u apache).keytab
Keytab name: FILE:/var/lib/gssproxy/clients/48.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 apache/www.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 apache/www.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 apache/www.example.com@EXAMPLE.COM (camellia256-cts-cmac)
2 apache/www.example.com@EXAMPLE.COM (camellia128-cts-cmac)
# cat /etc/systemd/system/gssproxy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/sbin/gssproxy -D --debug