[Samba] FW: kerberos nfs4's principals and root access
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 3 06:57:07 UTC 2016
You need for the apache keytab something like
Alias /webmail /usr/share/webmail
#
<Directory /usr/share/ webmail >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Directory>
chmod 400 /etc/httpd/conf/keytab
chown www-data:www-data /etc/httpd/conf/keytab
> In fact i'm stuck between my two problems (root acces to Kerberised NFS
> share / www-data access to userdir into a Kerberised NFS share),
> contrary to what I thought It's the root acces the more difficult to
> resolve...
This is because of your layout for your website.
Now, your "abuseing" the user homedir, and normaly thats a private dir for only the user.
For the root access, you can kinit adminsitrator in a root script, i dont know what you exact want.
But echo "passwd" | kinit Administrator simpel resolve you problem.
And for the users/website data.
When you set a layout like this.
/var/www/domain/site/
Add on domain for example an AD Group with write rights.
Like "Domain website Admins" give these full control.
And something like "Site Admins" for a website, inherit the one before.
No hassle with keytabs, changing owner/group.
Besited if you want to do that, look at mod_ruid, which allows to run an apache vhost as user.
But its what you want.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bruno Macadré
> Verzonden: woensdag 3 augustus 2016 8:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] FW: kerberos nfs4's principals and root access
>
> Hi Rowland,
>
> I've already read this article, but I never find how to indicate to
> apache to read this file... After some research, I think I need to
> install mod_auth_krb5 to specify at least how to find this keytab (even
> if I don't need Apache authentication against Kerberos).
>
> I will try this today and comme back to say if it works !
>
> In fact i'm stuck between my two problems (root acces to Kerberised NFS
> share / www-data access to userdir into a Kerberised NFS share),
> contrary to what I thought It's the root acces the more difficult to
> resolve...
>
> Thanks Rowland,
> Greetz,
> Bruno
>
>
> Le 02/08/2016 à 18:20, Rowland Penny a écrit :
> > On Tue, 2 Aug 2016 17:05:37 +0200
> > Bruno MACADRÉ <bruno.macadre at univ-rouen.fr> wrote:
> >
> >> It's ok
> >>
> >> So, if I create a httpuser and an httpgroup in my AD and use these at
> >> owner and group for my apache2 daemon, this one could access to
> >> userdirs (while permissions granting it) ? But I need to cron 'kinit'
> >> to keep valid ticket... ?
> >>
> >> My local root user always can't access to the share, but my other
> >> problem seems to be resolved.
> >>
> >>
> > OK, I went and re-read your first post and I think you are going about
> > this the wrong way. I did a quick google and found this:
> >
> > http://blog.sumostyle.net/2009/01/nfs4-krb5-and-apache-userdir/
> >
> > So to translate that into Samba:
> >
> > Create a user 'httpuser' with a random password:
> >
> > samba-tool user create --random-password httpuser
> >
> > Give the new user an SPN:
> >
> > samba-tool spn add HTTP/servername.your.realm.tld httpuser
> >
> > Where 'servername' is the short hostname of your machine running Apache
> > and 'your.realm.tld' is (obviously) your dns/realm name
> >
> > Now export the keytab:
> >
> > samba-tool domain exportkeytab /root/httpd.keytab
> > --principal=HTTP/servername.your.realm.tld at YOUR.REALM.TLD
> >
> > copy the keytab to the machine running Apache and allow www-data to
> > read the keytab.
> >
> > Rowland
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list