Hide Forgot
Created attachment 558474 [details] k5start init script Description of problem: I'm using the attached k5start init script to initialize a ticket to allow apache to access kerberized NFSv4 mounts. Might be a nice addition to the package. I have the following /etc/sysconfig/k5start: K5START_KEYTAB[0]="/etc/httpd/conf/keytab" K5START_TIMEOUT[0]=60 K5START_USER[0]=apache K5START_PRINCIPAL[0]=apache Version-Release number of selected component (if applicable): kstart-3.16-1.el6.i686
Interesting idea... 1. Looks like this uses a predictable filename in /tmp ? Should it use /var/cache/k5start/krb5cc instead, or else mktemp ? 2. Want to write a systemd unit file? ;) Personally I use k5start to also auto-renew AFS tokens within a PAG, and then I run httpd as a child process. So I don't invoke k5start as an entirely separate daemon like this. But I have no objections, and if you write up a systemd file I'll put it into Fedora (and eventually EPEL).
Created attachment 558481 [details] k5start init script (In reply to comment #1) > 1. Looks like this uses a predictable filename in /tmp ? Should it use > /var/cache/k5start/krb5cc instead, or else mktemp ? Well, I need rpc.gssd to pick it up. I guess on F16 I have: /tmp/krb5cc_1744_brWVEq so I modified it to use mktemp and it seems to work. > 2. Want to write a systemd unit file? ;) I could take a crack at it :). I'm using this now on EL6, which is I why I initially filed against EPEL. EPEL won't get systemd until EL7 (at least). > Personally I use k5start to also auto-renew AFS tokens within a PAG, and then I > run httpd as a child process. So I don't invoke k5start as an entirely separate > daemon like this. But I have no objections, and if you write up a systemd file > I'll put it into Fedora (and eventually EPEL). What's a PAG?
Dan - I need your help with the SELinux issues around this. At the moment k5start will create the /tmp/krb5cc_* file with system_u:object_r:initrc_tmp_t:s0 context which gssd cannot read. I guess we would need k5start to cal setfilecon() to set it to gssd_tmp_t or something similar that gssd could read? Also, there doesn't seem to be any default contexts for /tmp/krb5cc_* files. Should there be? Thanks for any help on this.
Steve - I would appreciate any comments you have regarding the viability of this scheme for allowing apache to access files on kerberized nfsv4 mounts.
I think were are moving gssd to look in /run/user/USERNAME for some of this stuff, rather then in /tmp. Not sure /run/user/apache would work. gssd expects the content to be labeled user_tmp_t now. So one short term solution would be to use runcon runcon -t unconfined_t kstart
Thanks, the runcon command seemed to do the trick for now.
This should be fixed by https://fedoraproject.org/wiki/Features/KRB5CacheMove
Everyone please keep in mind that I originally filed this bug against EPEL6 and will want a solution that works there. For the moment this means: daemon runcon -t unconfined_t $prog -f ${K5START_KEYTAB[$i]} -K ${K5START_TIMEOUT[$i]:-60} -b -k ${tmpfile} -o ${K5START_USER[$i]} -p /var/run/k5start-${K5START_USER[$i]}.pid ${K5START_PRINCIPAL[$i]} in the init script. Better solutions welcome.
Please correct me if I'm wrong, but wouldn't that require a change to the SELinux policy that ships in RHEL?
I believe the runcon line will work in RHEL6 unless the unconfined modules are removed or if you use MLS policy
Just for the record the functionality equivalent to the k5start will be proved by GSS Proxy project. Over the course of releases it will grow different capabilities. It will start with the automatic renewal of the tickets on the server side for the services like NFS or QPID. In future it will also be able to on demand renew tickets for the long lived non user and non host accounts. First version of GSS Proxy is a part of F18.
(In reply to comment #11) > Just for the record the functionality equivalent to the k5start will be > proved by GSS Proxy project. Over the course of releases it will grow Will this be available on EL6 and EL5? Or Just F18?
Created attachment 923029 [details] systemd scripts to fire off k5start, built against EPEL7/centos7 The original SRPM was 4.1-5.fc21, but I believe this is unchanged from the 4.1-3.el7 included in EPEL7/F19. All I added was a systemd script and an environment file. Nigh unto everything is configurable. Default is to use /etc/krb5.keytab to maintain the credential cache /var/run/host.tgt, owned by root.root, ticket lifetime 10h, check cache every 30 minutes. Fiddle with the defaults however you want. I understand the original request was against EPEL6. My interest relates to EPEL7, is somewhat local, and is filled by the above package. Feel free to include attached package into Fedora (19+? rawhide?) and/or EPEL 7.
Now that almost all distributions use systemd, I think we should contribute this to kstart upstream instead of maintaining it downstream in Fedora. https://www.eyrie.org/~eagle/software/kstart/