Bug 1208640

Summary: Add service/HTTP section to default gssproxy.conf
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: gssproxyAssignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: dpal, eguan, ksiddiqu, rharwood
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gssproxy-0.4.1-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 09:30:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2015-04-02 18:19:50 UTC 
Description of problem:

When setting up GSS-Proxy to be used with Apache HTTP Server

   https://fedorahosted.org/gss-proxy/wiki/Apache

it is necessary to edit /etc/gssproxy/gssproxy.conf and prepend

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

or similar block. This section has to be before any section which might have allow_any_uid = yes, namely service/nfs-client. People sometimes get that wrong.

It might be easier for users (admins) if that section was already there.

Its presence when no httpd is configured or running shouldn't harm.

Version-Release number of selected component (if applicable):

gssproxy-0.3.0-10.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Attempt to configure GSS-Proxy for use with Apache HTTP Server.
2. Check if you have to configure the service/HTTP section.

Actual results:

You have to do it, it's not in gssproxy.conf by default.

Expected results:

You don't have to do it, it's already there.

Additional info:
Comment 2 Dmitri Pal 2015-04-15 16:48:09 UTC 
Upstream ticket:
https://fedorahosted.org/gss-proxy/ticket/143
Comment 3 Robbie Harwood 2015-08-19 18:48:29 UTC 
Since this patch is distro-specific, we will carry it downstream.  Upstream, a cross-distro solution will be tracked at https://fedorahosted.org/gss-proxy/ticket/143 and eventually we will discard this.
Comment 5 Kaleem 2015-08-25 06:00:10 UTC 
Verified.

[root@dhcp207-24 ~]# rpm -q gssproxy
gssproxy-0.4.1-6.el7.x86_64
[root@dhcp207-24 ~]#

snip from console output:
-------------------------

[root@dhcp207-24 tmp]# yum update gssproxy-0.4.1-6.el7.x86_64.rpm 
Loaded plugins: product-id, search-disabled-repos, subscription-manager
...
....
Updated:
  gssproxy.x86_64 0:0.4.1-6.el7                                                                                                                       

Complete!
[root@dhcp207-24 ~]# cat /etc/gssproxy/gssproxy.conf 
[gssproxy]

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

[service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
[root@dhcp207-24 ~]#
Comment 7 errata-xmlrpc 2015-11-19 09:30:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2298.html