我正在尝试使用 Kerberos 和 LDAP 设置单点登录 (SSO),但使用 Kerberos 进行身份验证和加密 (krb5p) 服务的 NFSv4 时遇到问题。
我的环境:
- 1 个带有 LDAP 和 Kerberos 的服务器(命名服务器)(IP:192.168.1.1)
- 1台服务器(名为host2),提供SSH和NFSv4等服务(IP:192.168.1.100)
- 1个客户端(名为host1)(IP:192.168.1.2)
三台机器运行的是 Ubuntu 18.04。
我的 /etc/hosts 在三台机器上是相同的,如下所示。
SSO 与 GSSAPI 的 SSH 服务配合良好,我的客户端上有良好的 Kerberos 票证。现在我正在尝试设置 NFSv4 服务。首先,我配置了共享文件(nfs-kernel-server 和 nfs-common)
当我在客户端计算机上使用 LDAP 用户(使用 sssd)进行日志记录并挂载共享目录时,一切似乎都正常。
sudo mount -vvv -t nfs4 -o proto=tcp,port=2049,sec=krb5p host2.stagenfs.fr:/ /mnt
请注意,我必须在 /etc/sudoers 中向 LDAP 用户添加权限,才能使用 LDAP 用户帐户挂载 NFS 目录:
/etc/sudoers
<LDAP user> ALL=(ALL:ALL) NOPASSWD: /bin/mount,/bin/umount,/sbin/mount.nfs,/sbin/mount.nfs4
但是 Kerberos 给了我一张属于 root 的票(有 600 个权限)。因此,当我使用 LDAP 客户端帐户登录时,无法进入 /mnt 目录。所以我发现只有root用户才能访问/mnt。在客户端(挂载点目录)和服务器上,NFS共享目录的权限为777。
LDAP 用户票证位于 sssd.conf 文件中指定的目录中,但 NFS 服务的票证位于 /tmp/ 目录中。
我尝试了chown <LDAP user>:<LDAP user group> /tmp/krb5ccmachine_STAGENFS
,然后我的 LDAP 用户能够访问 /mnt
我认为这可能来自 idmapd 服务,但不明白如何设置/etc/idmapd.conf
才能使事情正常。我尝试了在网上找到的一些配置,但没有成功。
这是我的conf文件:
/etc/hosts(所有机器上都相同)
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.1 server.stagenfs.fr server
192.168.1.1 stagenfs.fr
192.168.1.2 host1.stagenfs.fr host1
192.168.1.100 host2.stagenfs.fr host2
/etc/nsswitch.conf(所有机器上都相同)
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd sss
group: compat systemd sss
shadow: compat sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
/etc/idmapd.conf(客户端和 NFS 服务器上相同)
[General]
Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
Domain = stagenfs.fr
Local-Realms = STAGENFS.FR
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
#Method = nsswitch
Method = static
GSS-Methods = static
#Method = umich_ldap,nsswitch
#GSS-Methods = umich_ldap
#Method = sss
[Static]
#nfs/[email protected] = alice
#nfs/[email protected] = alice
#nfs/[email protected] = alice
[email protected] = alice
#[UMICH_SCHEMA]
#LDAP_server = server.stagenfs.fr
#LDAP_base = ou=tl
#LDAP_use_ssl = true
#LDAP_ca_cert = /etc/ssl/certs/cacert.pem
#NFSV4_person_objectclass = posixaccount
#NFSV4_name_attr = uid
/etc/default/nfs-common(客户端计算机)
STATDOPTS=
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD="yes"
NEED_IDMAPD="yes"
/etc/default/nfs-kernel-server(NFS 服务器机器)
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=""
/etc/sssd/sssd.conf(客户端和 NFS 服务器上相同)
[sssd]
debug_level = 0xFFF0
config_file_version = 2
services = nss,pam
domains = STAGENFS.FR
[nss]
debug_level = 0xFFF0
filter_users = root
filter_groups = root
[pam]
debug_level = 10
offline_credentials_expiration = 1
[domain/STAGENFS.FR]
debug_level = 0xFFF0
ldap_schema = rfc2307
ldap_search_base = ou=tl
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_krb5_keytab = /etc/krb5.keytab
ldap_access_order = filter
ldap_access_filter = &(objectClass=posixAccount) (uidNumber=*)
ldap_uri = ldaps://server.stagenfs.fr
ldap_referrals = False
ldap_id_use_start_tls = False
cache_credentials = False
account_cache_expiration = 1
enumerate = True
ldap_default_bind_dn = cn=proxyuser,ou=private,ou=tl
ldap_default_authtok_type = password
ldap_default_authtok = ProxyUser123#
ldap_tls_cacert = /etc/ssl/certs/cacert.pem
krb5_realm = STAGENFS.FR
krb5_canonicalize = False
krb5_server = server.stagenfs.fr
krb5_kpasswd = server.stagenfs.fr
krb5_ccachedir = /home/tl/%u
/var/log/syslog(最小配置)(在 NFS 服务器上)
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=user
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: calling nsswitch->uid_to_name
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: nsswitch->uid_to_name returned 0
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_uid_to_name: final return value is 0
Aug 2 10:05:57 host2 rpc.idmapd[470]: Server : (user) id "0" -> name "[email protected]"
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfsdcb: authbuf=gss/krb5p authtype=group
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: calling nsswitch->gid_to_name
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: nsswitch->gid_to_name returned 0
Aug 2 10:05:57 host2 rpc.idmapd[470]: nfs4_gid_to_name: final return value is 0
Aug 2 10:05:57 host2 rpc.idmapd[470]: Server : (group) id "0" -> name "[email protected]"
客户端(host1)上命令行的输出 Alice 是使用 Kerberos 进行身份验证的 LDAP 用户。
alice@host1:~$ sudo mount -vvv -t nfs4 -o proto=tcp,port=2049,sec=krb5p host2:/users /mnt
mount.nfs4: timeout set for Thu Aug 2 10:07:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.100,clientaddr=192.168.1.2'
alice@host1:~$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:uid=alice,ou=people,ou=tl
alice@host1:~$ klist
Ticket cache: FILE:/home/tl/alice/krb5_25002
Default principal: [email protected]
Valid starting Expires Service principal
02/08/2018 10:57:40 02/08/2018 20:57:40 krbtgt/[email protected]
renew until 03/08/2018 10:57:40
02/08/2018 10:57:56 02/08/2018 20:57:40 ldap/[email protected]
renew until 03/08/2018 10:57:40
alice@host1:~$ klist -c /tmp/krb5ccmachine_STAGENFS.FR
klist: Credentials cache permissions incorrect (filename: /tmp/krb5ccmachine_STAGENFS.FR)
alice@host1:~$
root@host1:~# klist -c /tmp/krb5ccmachine_STAGENFS.FR
Ticket cache: FILE:/tmp/krb5ccmachine_STAGENFS.FR
Default principal: host/[email protected]
Valid starting Expires Service principal
02/08/2018 10:01:07 02/08/2018 20:01:07 krbtgt/[email protected]
renew until 03/08/2018 10:01:07
02/08/2018 10:01:07 02/08/2018 20:01:07 nfs/[email protected]
renew until 03/08/2018 10:01:07
root@host1:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 ldap/[email protected]
2 ldap/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 nfs/[email protected]
2 nfs/[email protected]
正如您所看到的,我尝试了 idmapd.conf 的几种方法,但没有成功。我找到了一些网站,例如这个关联但这没有帮助。我想我在 idmapd 配置或其他地方丢失了一些东西。如果您有任何想法或疑问,请不要犹豫。