Hello, I have a web server (SuSE SLES11) where users can offer their own web pages they write in $HOME/public_html. The public_html directory is NFS mounted from a NFS server. At the moment NFS3 is used for this setup and I would like to migrate it to NFS V4 using kerberos.
So I set up a kerberos server configured the NFS server for NFSV4. This works fine. Next I tried what happens when I try to access the webserver like http://mywebserver/~nfsuser where mywebserver (running apache 2.2) does a krb5 NFS V4 mount of the users home directories using automount. I first got a permission denied. To get this working I created a HTTP/mywebserver.mydomain@MYREALM principal and exported it to a keytab file on mywebserver. When starting up apache on this server I ran kinit for the HTTP principal first using a credential cache file in /tmp/krb5cc_nn where nn is the userid of the user httpd is running with (wwwrun). Now basic access to a simple webpage accessed via NFSV4 also works. However what still does not work is calling cgi scripts that use suexec and calling php scripts that use suphp. Both methods change the user id of the runing CGI or PHP script to the user id of the script beeing read from NFS. Since there is no kerberos ticket for any of the users (they did not and cannot authenticate) NFS access is probably denied. Is there any solution to this suexec/suphp problem? Is it possible to configure kerberos to grant the webserver access to all the NFS4 mounted user directories? What I am looking for is a authentification of the server to kerberos and vice versa, but no user authentification for NFS V4 access to NFS user directories (some thousands). Any Idea how this could be accomplished? Thanks a lot in advance Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
