Help with kerberos+nfs V4 on a webserver using suexec and suphp
Rainer Krienke
krienke at uni-koblenz.de
Tue Mar 10 10:19:38 EDT 2015
Hello,
I have a web server (SuSE SLES11) where users can offer their own web
pages they write in $HOME/public_html. The public_html directory is NFS
mounted from a NFS server. At the moment NFS3 is used for this setup
and I would like to migrate it to NFS V4 using kerberos.
So I set up a kerberos server configured the NFS server for NFSV4. This
works fine. Next I tried what happens when I try to access the webserver
like http://mywebserver/~nfsuser where mywebserver (running apache 2.2)
does a krb5 NFS V4 mount of the users home directories using automount.
I first got a permission denied. To get this working I created a
HTTP/mywebserver.mydomain at MYREALM principal and exported it to a keytab
file on mywebserver. When starting up apache on this server I ran kinit
for the HTTP principal first using a credential cache file in
/tmp/krb5cc_nn where nn is the userid of the user httpd is running with
(wwwrun). Now basic access to a simple webpage accessed via NFSV4 also
works.
However what still does not work is calling cgi scripts that use suexec
and calling php scripts that use suphp. Both methods change the user id
of the runing CGI or PHP script to the user id of the script beeing read
from NFS. Since there is no kerberos ticket for any of the users (they
did not and cannot authenticate) NFS access is probably denied.
Is there any solution to this suexec/suphp problem? Is it possible to
configure kerberos to grant the webserver access to all the NFS4 mounted
user directories?
What I am looking for is a authentification of the server to kerberos
and vice versa, but no user authentification for NFS V4 access to NFS
user directories (some thousands).
Any Idea how this could be accomplished?
Thanks a lot in advance
Rainer
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150310/3d94848d/attachment.bin
More information about the Kerberos
mailing list