我正在运行带有 Ubuntu 的 Raspberry Pi 400。我曾经使用 Ubuntu 20.04 LTS 与基于 Debian 的 NFS 服务器建立了有效的 Kerberized NFS 连接。此外,我还运行另一个带有 20.04 LTS 的客户端,它仍然可以毫无问题地连接到 NFS 服务器。自从我将 Raspberry PI 升级到 21.10(然后是 22.04,现在是 22.10)后,Kerberized NFS 连接不再起作用。我还认为这可能是由于从内核 5.10 开始应该删除的弱密码造成的。但与此同时,我也在我的 Kerberos 服务器上停用了它们,并为 Raspberry Pi 重新生成了密钥。它仍然不起作用。我还设置了一个 Ubuntu 服务器映像(22.04 LTS)来检查我是否可以连接到那个。但这也不起作用。因此我已证明问题不在于我的基于 Debian 的 NFS 服务器(该服务器相当旧,Debian extends 9.13)。
问题如下:
安装尝试:
sudo mount -t nfs -vvvv -o vers=4.2,sec=krb5i,async,soft vmus01.fritz.box:/srv/nfs4/homes /mnt/vmfs01/srv
返回
mount.nfs: timeout set for Sun Mar 5 12:46:14 2023
mount.nfs: trying text-based options 'vers=4.2,sec=krb5i,soft,addr=192.168.178.48,clientaddr=192.168.178.32'
mount.nfs: mount(2): Invalid argument
mount.nfs: an incorrect mount option was specified
我认为问题与 rpc.gssd 有关,但我不知道在哪里可以找到根本原因。在日志中我发现了以下信息:
Mär 05 12:44:14 pi400 kernel: audit: type=1400 audit(1678016654.181:199): apparmor="ALLOWED" operation="open" class="file" profile="/usr/sbin/sssd" name="/proc/7126/cmdline" pid=958 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mär 05 12:44:14 pi400 sudo[7126]: administrator : TTY=pts/3 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/mount -t nfs -vvvv -o vers=4.2,sec=krb5i,async,soft vmus01.fritz.box:/srv/nfs4/homes /mnt/vmfs01/srv
Mär 05 12:44:14 pi400 sudo[7126]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Mär 05 12:44:14 pi400 kernel: NFS: parsing nfs mount option 'source'
Mär 05 12:44:14 pi400 kernel: NFS: parsing nfs mount option 'vers'
Mär 05 12:44:14 pi400 kernel: NFS: parsing nfs mount option 'sec'
Mär 05 12:44:14 pi400 kernel: NFS: parsing sec=krb5i option
Mär 05 12:44:14 pi400 kernel: NFS: parsing nfs mount option 'soft'
Mär 05 12:44:14 pi400 kernel: NFS: parsing nfs mount option 'addr'
Mär 05 12:44:14 pi400 kernel: NFS: parsing nfs mount option 'clientaddr'
Mär 05 12:44:14 pi400 kernel: NFS: MNTPATH: '/srv/nfs4/homes'
Mär 05 12:44:14 pi400 kernel: --> nfs4_try_get_tree()
Mär 05 12:44:14 pi400 kernel: RPC: set up xprt to 192.168.178.48 (port 2049) via tcp
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for topdir (nfs) - ev->wd (8) ev->name (clnt5c) ev->mask (0x40000100)
Mär 05 12:44:14 pi400 kernel: RPC: Couldn't create auth handle (flavor 390004)
Mär 05 12:44:14 pi400 kernel: RPC: destroy backchannel transport
Mär 05 12:44:14 pi400 kernel: RPC: backchannel list empty= true
Mär 05 12:44:14 pi400 kernel: RPC: xs_destroy xprt 00000000c38fab83
Mär 05 12:44:14 pi400 kernel: RPC: xs_close xprt 00000000c38fab83
Mär 05 12:44:14 pi400 kernel: nfs_create_rpc_client: cannot create RPC client. Error = -22
Mär 05 12:44:14 pi400 kernel: RPC: set up xprt to 192.168.178.48 (port 2049) via tcp
Mär 05 12:44:14 pi400 kernel: RPC: xs_connect scheduled xprt 0000000038cff69a
Mär 05 12:44:14 pi400 kernel: RPC: xs_bind 0.0.0.0:902: ok (0)
Mär 05 12:44:14 pi400 kernel: RPC: worker connecting xprt 0000000038cff69a via tcp to 192.168.178.48 (port 2049)
Mär 05 12:44:14 pi400 kernel: RPC: 0000000038cff69a connect status 115 connected 0 sock state 2
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_state_change client 0000000038cff69a...
Mär 05 12:44:14 pi400 kernel: RPC: state 1 conn 0 dead 0 zapped 1 sk_shutdown 0
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(40) = 0
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: RPC: setup backchannel transport
Mär 05 12:44:14 pi400 kernel: RPC: adding req= 00000000499993bf
Mär 05 12:44:14 pi400 kernel: RPC: setup backchannel transport done
Mär 05 12:44:14 pi400 kernel: svc: initialising pool 0 for NFSv4 callback
Mär 05 12:44:14 pi400 kernel: nfs_callback_create_svc: service created
Mär 05 12:44:14 pi400 kernel: NFS: create per-net callback data; net=f0000000
Mär 05 12:44:14 pi400 kernel: nfs_callback_up: service started
Mär 05 12:44:14 pi400 kernel: NFS: nfs4_discover_server_trunking: testing 'vmus01.fritz.box'
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(244) = 0
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(244) = 0
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: --> nfs4_proc_create_session clp=00000000651ffdf2 session=00000000ca6dcaff
Mär 05 12:44:14 pi400 kernel: nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64
Mär 05 12:44:14 pi400 kernel: nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(196) = 0
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: --> nfs4_setup_session_slot_tables
Mär 05 12:44:14 pi400 kernel: --> nfs4_realloc_slot_table: max_reqs=30, tbl->max_slots 0
Mär 05 12:44:14 pi400 kernel: nfs4_realloc_slot_table: tbl=00000000ee80cb51 slots=000000007ba616d7 max_slots=30
Mär 05 12:44:14 pi400 kernel: <-- nfs4_realloc_slot_table: return 0
Mär 05 12:44:14 pi400 kernel: --> nfs4_realloc_slot_table: max_reqs=16, tbl->max_slots 0
Mär 05 12:44:14 pi400 kernel: nfs4_realloc_slot_table: tbl=00000000864b6a6c slots=000000005f4f194c max_slots=16
Mär 05 12:44:14 pi400 kernel: <-- nfs4_realloc_slot_table: return 0
Mär 05 12:44:14 pi400 kernel: slot table setup returned 0
Mär 05 12:44:14 pi400 kernel: nfs4_proc_create_session client>seqid 2 sessionid 1678011050:3914836531:203:0
Mär 05 12:44:14 pi400 kernel: nfs4_schedule_state_renewal: requeueing work. Lease period = 5
Mär 05 12:44:14 pi400 kernel: NFS: nfs4_discover_server_trunking: status = 0
Mär 05 12:44:14 pi400 kernel: --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30
Mär 05 12:44:14 pi400 kernel: <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0
Mär 05 12:44:14 pi400 kernel: encode_sequence: sessionid=1678011050:3914836531:203:0 seqid=1 slotid=0 max_slotid=0 cache_this=0
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(124) = 0
Mär 05 12:44:14 pi400 rpc.gssd[7119]: creating client nfs/clnt5c
Mär 05 12:44:14 pi400 rpc.gssd[7119]: scanning client nfs/clnt5c
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5c) - ev->wd (11) ev->name (info) ev->mask (0x00000200)
Mär 05 12:44:14 pi400 kernel: RPC: Couldn't create auth handle (flavor 390004)
Mär 05 12:44:14 pi400 kernel: nfs_init_server_rpcclient: couldn't create rpc_client!
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5c) - ev->wd (11) ev->name (<?>) ev->mask (0x00008000)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: destroying client nfs/clnt5c
Mär 05 12:44:14 pi400 rpc.gssd[7119]: freeing client nfs/clnt5c
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for topdir (nfs) - ev->wd (8) ev->name (clnt5d) ev->mask (0x40000100)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: creating client nfs/clnt5d
Mär 05 12:44:14 pi400 rpc.gssd[7119]: scanning client nfs/clnt5d
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5d) - ev->wd (12) ev->name (info) ev->mask (0x00000100)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: scanning client nfs/clnt5d
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5d) - ev->wd (12) ev->name (idmap) ev->mask (0x00000100)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for topdir (nfs) - ev->wd (8) ev->name (clnt5e) ev->mask (0x40000100)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: creating client nfs/clnt5e
Mär 05 12:44:14 pi400 rpc.gssd[7119]: scanning client nfs/clnt5e
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5e) - ev->wd (13) ev->name (info) ev->mask (0x00000200)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5e) - ev->wd (13) ev->name (<?>) ev->mask (0x00008000)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: destroying client nfs/clnt5e
Mär 05 12:44:14 pi400 rpc.gssd[7119]: freeing client nfs/clnt5e
Mär 05 12:44:14 pi400 kernel: NFS4: Couldn't follow remote path
Mär 05 12:44:14 pi400 kernel: <-- nfs4_try_get_tree() = -22 [error]
Mär 05 12:44:14 pi400 sudo[7126]: pam_unix(sudo:session): session closed for user root
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30
Mär 05 12:44:14 pi400 kernel: <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1
Mär 05 12:44:14 pi400 kernel: nfs4_free_slot: slotid 1 highest_used_slotid 0
Mär 05 12:44:14 pi400 kernel: nfs41_sequence_process: Error 0 free the slot
Mär 05 12:44:14 pi400 kernel: nfs4_free_slot: slotid 0 highest_used_slotid 4294967295
Mär 05 12:44:14 pi400 kernel: <-- nfs41_proc_reclaim_complete status=0
Mär 05 12:44:14 pi400 kernel: --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=16
Mär 05 12:44:14 pi400 kernel: <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0
Mär 05 12:44:14 pi400 kernel: nfs4_free_slot: slotid 0 highest_used_slotid 4294967295
Mär 05 12:44:14 pi400 kernel: --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30
Mär 05 12:44:14 pi400 kernel: <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0
Mär 05 12:44:14 pi400 kernel: nfs4_free_slot: slotid 0 highest_used_slotid 4294967295
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(100) = 0
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: nfs4_destroy_session Destroy backchannel for xprt 0000000038cff69a
Mär 05 12:44:14 pi400 kernel: RPC: destroy backchannel transport
Mär 05 12:44:14 pi400 kernel: RPC: req=00000000499993bf
Mär 05 12:44:14 pi400 kernel: RPC: free allocations for req= 00000000499993bf
Mär 05 12:44:14 pi400 kernel: RPC: backchannel list empty= true
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_send_request(92) = 0
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5d) - ev->wd (12) ev->name (idmap) ev->mask (0x00000200)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5d) - ev->wd (12) ev->name (info) ev->mask (0x00000200)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: inotify event for clntdir (nfs/clnt5d) - ev->wd (12) ev->name (<?>) ev->mask (0x00008000)
Mär 05 12:44:14 pi400 rpc.gssd[7119]: destroying client nfs/clnt5d
Mär 05 12:44:14 pi400 kernel: RPC: xs_data_ready...
Mär 05 12:44:14 pi400 kernel: NFS: destroy per-net callback data; net=f0000000
Mär 05 12:44:14 pi400 kernel: svc: svc_destroy(NFSv4 callback)
Mär 05 12:44:14 pi400 kernel: nfs_callback_down: service destroyed
Mär 05 12:44:14 pi400 kernel: RPC: destroy backchannel transport
Mär 05 12:44:14 pi400 kernel: RPC: backchannel list empty= true
Mär 05 12:44:14 pi400 kernel: RPC: xs_destroy xprt 0000000038cff69a
Mär 05 12:44:14 pi400 kernel: RPC: xs_close xprt 0000000038cff69a
Mär 05 12:44:14 pi400 kernel: RPC: xs_tcp_state_change client 0000000038cff69a...
Mär 05 12:44:14 pi400 kernel: RPC: state 4 conn 1 dead 0 zapped 1 sk_shutdown 3
Mär 05 12:44:14 pi400 rpc.gssd[7119]: freeing client nfs/clnt5d
Mär 05 12:44:36 pi400 rpc.gssd[7119]: watchdog: sleeping 30 secs
我尝试修改 nfs.conf 中的设置,但没有成功。目前它看起来像这样:
#
# This is a general configuration for the
# NFS daemons and tools
#
[general]
pipefs-directory=/run/rpc_pipefs
#
[exports]
# rootdir=/export
#
[exportfs]
# debug=0
#
[gssd]
verbosity=9
rpc-verbosity=9
# use-memcache=0
use-machine-creds=1
#use-gss-proxy=1
#avoid-dns=1
# limit-to-legacy-enctypes=1
context-timeout=10
rpc-timeout=10
keytab-file=/etc/krb5.keytab
cred-cache-directory=/tmp
preferred-realm= FRITZ.BOX
# set-home=1
upcall-timeout=30
cancel-timed-out-upcalls=0
#
[lockd]
# port=0
# udp-port=0
#
[exportd]
# debug="all|auth|call|general|parse"
# manage-gids=n
# state-directory-path=/var/lib/nfs
# threads=1
# cache-use-ipaddr=n
# ttl=1800
[mountd]
debug="all|auth|call|general|parse"
manage-gids=y
# descriptors=0
# port=0
# threads=1
reverse-lookup=y
# state-directory-path=/var/lib/nfs
# ha-callout=
# cache-use-ipaddr=n
# ttl=1800
#
[nfsdcld]
debug=9
# storagedir=/var/lib/nfs/nfsdcld
#
[nfsdcltrack]
debug=9
# storagedir=/var/lib/nfs/nfsdcltrack
#
[nfsd]
debug=9
# threads=8
# host=
# port=0
# grace-time=90
# lease-time=90
udp=n
tcp=y
vers3=n
vers4=n
vers4.0=n
vers4.1=n
vers4.2=n
# rdma=n
# rdma-port=20049
[statd]
debug=9
# port=0
# outgoing-port=0
# name=
# state-directory-path=/var/lib/nfs/statd
# ha-callout=
# no-notify=0
#
[sm-notify]
debug=9
# force=0
# retry-time=900
# outgoing-port=
# outgoing-addr=
# lift-grace=y
#
[svcgssd]
# principal=
/etc/krb5.keytab 包含以下内容:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nfs/[email protected] (aes256-cts-hmac-sha1-96)
2 host/[email protected] (aes256-cts-hmac-sha1-96)
任何帮助都将不胜感激。非常感谢。
诚挚问候 Martin
答案1
我找到了原因。我检查了内核模块,发现 Raspberry PI 上缺少一个。这是我正在运行的 Ubuntu 客户端(Intel I3,Ubuntu 20.04)上的样子:
lsmod | grep gss
返回
rpcsec_gss_krb5 40960 11
auth_rpcgss 94208 4 rpcsec_gss_krb5
sunrpc 397312 31 nfsv4,auth_rpcgss,lockd,nfsv3,rpcsec_gss_krb5,nfs_acl,nfs
而且 Raspberry PI 上缺少 rpcsec_gss_krb5。目前我使用的是内核版本 5.19.0-1011-raspi。这里缺少 rpcsec_gss.krb5.ko!如果我查看 packages.ubuntu.com,似乎包含 rpcsec 模块的最后一个版本是 5.19.0-1004-raspi。不知何故,他们把内核模块放进了一个额外的包中,显然必须手动安装。我刚刚安装了 linux-modules-extra-5.19.0-1011-raspi,现在 rpcsec_gss.krb5.ko 可用。我通过 modprobe 加载了它。nfs* 内核模块也不存在,但事实证明它们将在稍后执行 mount 命令时加载。尝试挂载 NFS 服务器共享不会导致
mount.nfs: mount(2): Invalid argument
不再。现在我得到了
mount.nfs: mount(2): Permission denied
/etc/krb5.keytab 的内容似乎无效。我删除了它,然后使用以下命令重新生成它
sudo kinit some-kerberos-admin/admin
sudo kadmin -p some-kerberos-admin/admin
ktadd nfs/pi400.fritz.box
现在它开始工作了。为了在启动时自动加载内核模块,我将 rpcsec_gss_krb5 添加到 /etc/modules 中,现在运行良好。最后将 mount 命令添加到 /etc/fstab 中,就大功告成了。
再说几句我如何调试这个问题。在 /etc/nfs.conf 的 gssd 部分中添加/取消注释以下条目:
[gssd]
verbosity=9
rpc-verbosity=9
(顺便说一句:我再次注释掉了 nfs.conf 中的几乎所有条目,因为它是由软件包维护者提供的)。完成此操作后,rpc.gssd 将在系统日志中添加大量输出。除此之外,以下命令对我有帮助,因为它们启用了内核的日志输出:
rpcdebug -m rpc -s all # sets all debug flags for RPC
rpcdebug -m nfs -s all # sets all debug flags for RPC
为了检查日志输出,我打开了一个新的控制台窗口,并使用以下命令监视系统日志输出
journalctl -f
另请参阅 ARCH Linux 团队提供的这个网页,它确实很有帮助: NFS/故障排除
我在启动板上提交了一个错误报告: Kerberized NFS 挂载在 Raspberry PI 上不起作用
也许这些信息对其他人也有用...
问候马丁