使用 SSO (OpenLDAP + Kerberos) 进行身份验证时,NFSv4 共享目录的权限被拒绝

使用 SSO (OpenLDAP + Kerberos) 进行身份验证时,NFSv4 共享目录的权限被拒绝

我正在尝试使用 Kerberos 和 LDAP 设置单点登录 (SSO),但使用 Kerberos 进行身份验证和加密 (krb5p) 服务的 NFSv4 时遇到问题。

我的环境:

  • 1 个带有 LDAP 和 Kerberos 的服务器(命名服务器)(IP:192.168.1.1)
  • 1台服务器(名为host2),提供SSH和NFSv4等服务(IP:192.168.1.100)
  • 1个客户端(名为host1)(IP:192.168.1.2)

三台机器运行的是 Ubuntu 18.04。

我的 /etc/hosts 在三台机器上是相同的,如下所示。

SSO 与 GSSAPI 的 SSH 服务配合良好,我的客户端上有良好的 Kerberos 票证。现在我正在尝试设置 NFSv4 服务。首先,我配置了共享文件(nfs-kernel-server 和 nfs-common)

当我在客户端计算机上使用 LDAP 用户(使用 sssd)进行日志记录并挂载共享目录时,一切似乎都正常。

sudo mount -vvv -t nfs4 -o proto=tcp,port=2049,sec=krb5p host2.stagenfs.fr:/ /mnt

请注意,我必须在 /etc/sudoers 中向 LDAP 用户添加权限,才能使用 LDAP 用户帐户挂载 NFS 目录:

/etc/sudoers

<LDAP user> ALL=(ALL:ALL) NOPASSWD: /bin/mount,/bin/umount,/sbin/mount.nfs,/sbin/mount.nfs4

但是 Kerberos 给了我一张属于 root 的票(有 600 个权限)。因此,当我使用 LDAP 客户端帐户登录时,无法进入 /mnt 目录。所以我发现只有root用户才能访问/mnt。在客户端(挂载点目录)和服务器上,NFS共享目录的权限为777。

LDAP 用户票证位于 sssd.conf 文件中指定的目录中,但 NFS 服务的票证位于 /tmp/ 目录中。

我尝试了chown <LDAP user>:<LDAP user group> /tmp/krb5ccmachine_STAGENFS,然后我的 LDAP 用户能够访问 /mnt

我认为这可能来自 idmapd 服务,但不明白如何设置/etc/idmapd.conf才能使事情正常。我尝试了在网上找到的一些配置,但没有成功。

这是我的conf文件:

/etc/hosts(所有机器上都相同)

127.0.0.1   localhost

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

192.168.1.1     server.stagenfs.fr      server
192.168.1.1     stagenfs.fr

192.168.1.2     host1.stagenfs.fr       host1

192.168.1.100   host2.stagenfs.fr       host2

/etc/nsswitch.conf(所有机器上都相同)

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat systemd sss
group:          compat systemd sss
shadow:         compat sss
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss

/etc/idmapd.conf(客户端和 NFS 服务器上相同)

[General]

Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
Domain = stagenfs.fr
Local-Realms = STAGENFS.FR

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
#Method = nsswitch
Method = static
GSS-Methods = static
#Method = umich_ldap,nsswitch
#GSS-Methods = umich_ldap
#Method = sss

[Static]
#nfs/[email protected] = alice
#nfs/[email protected] = alice
#nfs/[email protected] = alice
[email protected] = alice

#[UMICH_SCHEMA]

#LDAP_server = server.stagenfs.fr
#LDAP_base = ou=tl
#LDAP_use_ssl = true
#LDAP_ca_cert = /etc/ssl/certs/cacert.pem
#NFSV4_person_objectclass = posixaccount
#NFSV4_name_attr = uid

/etc/default/nfs-common(客户端计算机)

STATDOPTS=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD="yes"

NEED_IDMAPD="yes"

/etc/default/nfs-kernel-server(NFS 服务器机器)

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

RPCMOUNTDOPTS="--manage-gids"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=""

/etc/sssd/sssd.conf(客户端和 NFS 服务器上相同)

[sssd]
debug_level = 0xFFF0
config_file_version = 2
services = nss,pam
domains = STAGENFS.FR

[nss]
debug_level = 0xFFF0
filter_users = root
filter_groups = root

[pam]
debug_level = 10
offline_credentials_expiration = 1

[domain/STAGENFS.FR]
debug_level = 0xFFF0
ldap_schema = rfc2307
ldap_search_base = ou=tl

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

ldap_sasl_mech = GSSAPI
ldap_krb5_keytab = /etc/krb5.keytab

ldap_access_order = filter
ldap_access_filter = &(objectClass=posixAccount) (uidNumber=*)

ldap_uri = ldaps://server.stagenfs.fr
ldap_referrals = False
ldap_id_use_start_tls = False
cache_credentials = False
account_cache_expiration = 1
enumerate = True
ldap_default_bind_dn = cn=proxyuser,ou=private,ou=tl
ldap_default_authtok_type = password
ldap_default_authtok = ProxyUser123#
ldap_tls_cacert = /etc/ssl/certs/cacert.pem

krb5_realm = STAGENFS.FR
krb5_canonicalize = False
krb5_server = server.stagenfs.fr
krb5_kpasswd = server.stagenfs.fr
krb5_ccachedir = /home/tl/%u

/var/log/syslog(最小配置)(在 NFS 服务器上)

Aug  2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=user
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: final return value is 0
Aug  2 10:05:57 host2 rpc.idmapd[470]: Server : (user) id "0" -> name "[email protected]"
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=group
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: calling nsswitch->gid_to_name
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
Aug  2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: final return value is 0
Aug  2 10:05:57 host2 rpc.idmapd[470]: Server : (group) id "0" -> name "[email protected]"

客户端(host1)上命令行的输出 Alice 是使用 Kerberos 进行身份验证的 LDAP 用户。

alice@host1:~$ sudo mount -vvv -t nfs4 -o proto=tcp,port=2049,sec=krb5p host2:/users /mnt
mount.nfs4: timeout set for Thu Aug  2 10:07:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.100,clientaddr=192.168.1.2'

alice@host1:~$ ldapwhoami 
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:uid=alice,ou=people,ou=tl

alice@host1:~$ klist 
Ticket cache: FILE:/home/tl/alice/krb5_25002
Default principal: [email protected]

Valid starting       Expires              Service principal
02/08/2018 10:57:40  02/08/2018 20:57:40  krbtgt/[email protected]
    renew until 03/08/2018 10:57:40
02/08/2018 10:57:56  02/08/2018 20:57:40  ldap/[email protected]
    renew until 03/08/2018 10:57:40

alice@host1:~$ klist -c /tmp/krb5ccmachine_STAGENFS.FR 
klist: Credentials cache permissions incorrect (filename: /tmp/krb5ccmachine_STAGENFS.FR)
alice@host1:~$ 

root@host1:~# klist -c /tmp/krb5ccmachine_STAGENFS.FR 
Ticket cache: FILE:/tmp/krb5ccmachine_STAGENFS.FR
Default principal: host/[email protected]

Valid starting       Expires              Service principal
02/08/2018 10:01:07  02/08/2018 20:01:07  krbtgt/[email protected]
    renew until 03/08/2018 10:01:07
02/08/2018 10:01:07  02/08/2018 20:01:07  nfs/[email protected]
    renew until 03/08/2018 10:01:07

root@host1:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 ldap/[email protected]
   2 ldap/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 host/[email protected]
   2 nfs/[email protected]
   2 nfs/[email protected]

正如您所看到的,我尝试了 idmapd.conf 的几种方法,但没有成功。我找到了一些网站,例如这个关联但这没有帮助。我想我在 idmapd 配置或其他地方丢失了一些东西。如果您有任何想法或疑问,请不要犹豫。

相关内容