Thanks Luigi and Jeff. Unfortunately I’m still getting permission denied trying to create the ondemand directory in my home directory (Permission denied @ dir_s_mkdir Errno::EACCES).
I appear to be getting a token. A file is getting created in both /var/run/httpd/clientcaches and /var/run/httpd/krb5ccache.
David,
I think you need at least one more step. You have, I presume, add your user to the apache group, to be able to read the kerberos ticket in the cache.
Luigi
Though I’m not 100% sure on this and what unintended consequences this may cause, I suspect there are/could be unintended consequences. This may not be the most secure route.
If possible - I’m not 100% sure it is - I would suggest doing the inverse - by making a shared unix group for this file/use case specifically, adding everyone to it and setting a FACL on the file (or chmod, though I somewhat doubt you can directly chmod).
Interesting. I assumed the apache user was reading the ticket. Since we add all our users to the same group, I’ll change the ownership and test.
Well it’s just a guess @tdockendorf do you see any issues with adding regular users to the apache group? I suspect there is, but Trey will know better.
Maybe run httpd with a different group?
The following directive is the equivalent of chmod for the cached ticket:
GssapiDelegCcachePerms mode:4660
I set these permissions only for testing purposes but I think that we can set only what is strictly necessary. I hope … !!!
I added my userid to the apache group but still no luck. Stupid question. Does the service principal have to be HTTP? I have a host service principal and define GssapiAcceptorName host@hostname.domain (I actually specify the fqdn).
I have only added my accounts to the apache group for the same security reasons raised by Jeff. I suggest you do the same for now.
I have a HTTP principal?
I have a HTTP principal!
Getting one generated.
It seems that the ‘read’ permission to apache group is sufficient:
GssapiDelegCcachePerms mode:0640
I’m not sure if this presents any security issues.
Replaced host service principal with http service principal. I have it configured as outlined in this thread but still not working. I’m curious about this line since it doesn’t appear to create anything:
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
Also, I see this in the error_log:
mod_waklog: creating shared token cache file /tmp/waklog_cache.304519
Looks like I have some debugging to do.
You can delete this directive, it is not required. I included it for an alternative test.
Did you set an ACL for the web server with rl permissions for each home directory? I’m trying to figure out why I’m getting the EACCES error trying to create the ondemand directory in my home directory. Ruby is getting Permission denied @ dir_s_mkdir.
No! But
- have you edit ‘/etc/ood/profile’ as suggested by Jeff? Something like:
#!/bin/bash
UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r ‘s#.+-u (.+) -a.+#\1#g’)
export KRB5CCNAME=“FILE:/var/run/httpd/clientcaches/$UNPRIV_USER@ENEA.IT”
- and then in ‘/etc/ood/config/nginx_stage.yml’ you must insert:
pun_custom_env_declarations:
- KRB5CCNAME
Luigi
I do have the profile file. I do not have the nginx_stage.yml file. I’ll create it right now.
Added to nginx_stage.yml
pun_custom_env_declarations:
- KRB5CCNAME
/etc/ood/profile looks like:
#!/bin/bash
SUDO_COMMAND is something like ‘… nginx_stage -u ktrout -a …’
UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r ‘s#.+-u (.+) -a.+#\1#g’)
export KRB5CCNAME=“FILE:/var/run/httpd/clientcaches/$UNPRIV_USER@CRC.ND.EDU”
Still getting permission denied.
ERRATA CORRIGE:
- Added to nginx_stage.yml
pun_custom_env_declarations:
- KRB5CCNAME
- /etc/ood/profile must looks like:
#!/bin/bash
UNPRIV_USER=$(echo $SUDO_COMMAND | sed -r ‘s#.±u (.+) -a.+#\1#g’)
export KRB5CCNAME=“FILE:/var/run/httpd/clientcaches/$UNPRIV_USER@CRC.ND.EDU”