如何在没有 root 权限的情况下使用 Kerberos 身份验证访问 NFSv4 共享文件夹

如何在没有 root 权限的情况下使用 Kerberos 身份验证访问 NFSv4 共享文件夹

我正在使用 Kerberos 身份验证设置 NFSv4 共享文件夹。我面临的问题是,当客户端计算机上的用户运行时mount /mnt(请参阅下面的 fstab 配置),他无法访问 /mnt 目录。我猜这是由于 Kerberos 票证上的权限所致。事实上,当我这样做时,我只得到一张属于 root 的票。

客户端 = 192.168.1.2 和服务器 = 192.168.1.1 都运行 Ubuntu 18.04.1

这里是命令行:

user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied

user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 16:53:42  11/09/2018 02:53:42  krbtgt/[email protected]
    renew until 11/09/2018 16:53:42
10/09/2018 16:53:42  11/09/2018 02:53:42  nfs/server.domain.fr@
    renew until 11/09/2018 16:53:42
10/09/2018 16:53:42  11/09/2018 02:53:42  nfs/[email protected]
    renew until 11/09/2018 16:53:42

root@client:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/[email protected]
   3 nfs/[email protected]

我发现当我使用用户权限对 nfs/client.domain.fr 执行“kinit”然后运行 ​​mount 命令时,我可以访问 /mnt 目录

user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
keytab specified, forcing -k
user@client:~$ klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 17:22:59  11/09/2018 03:22:59  krbtgt/[email protected]
    renew until 11/09/2018 17:22:59

user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx  3 root root 4096 sept.  4 10:30 ./
drwxr-xr-x 24 root root 4096 sept.  4 11:09 ../
drwxrwxrwx  2 root root 4096 sept. 10 16:14 media/

user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
[sudo] Mot de passe de user : 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 17:23:35  11/09/2018 03:23:35  krbtgt/[email protected]
    renew until 11/09/2018 17:23:35
10/09/2018 17:23:35  11/09/2018 03:23:35  nfs/server.domain.fr@
    renew until 11/09/2018 17:23:35
10/09/2018 17:23:35  11/09/2018 03:23:35  nfs/[email protected]
    renew until 11/09/2018 17:23:35

我的配置文件:

客户端计算机上的 /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
server:/    /mnt    nfs4    proto=tcp,port=2049,sec=krb5p,noauto,user   0   0

服务器上的 /etc/fstab:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
/home/media /export/media   none    bind    0   0

服务器上的 /etc/exports:

# /etc/exports: the access control list for filesystems which may be exported
#       to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media   192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)

客户端和服务器上存在 uid=1000 和 gid=1000 的用户。我还尝试了 root_squash 选项。

客户端和服务器上的 /etc/krb5.conf:

[logging]
    default = FILE:/tmp/krb5libs.log
    kdc = FILE:/tmp/krb5kdc.log
    admin_server = FILE:/tmp/kadmind.log

[libdefaults]
    default_realm = DOMAIN.FR

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    DOMAIN.FR = {
        kdc = kdc.domain.fr
        admin_server = kerberos.domain.fr
        default_domain = domain.fr
    }

[domain_realm]
    .domain.fr = DOMAIN.FR
    domain.fr = DOMAIN.FR

服务器上的 /etc/default/nfs-kernel-server:

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"

客户端和服务器上的 /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".


# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

客户端和服务器上的 /etc/hosts:

127.0.0.1   localhost

# server
192.168.1.1 server.domain.fr    server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr    client

kdc的日志:

sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for krbtgt/[email protected]
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for nfs/[email protected]

所以现在我只能挂载共享文件夹并使用客户端计算机上的 root 用户访问它,因为我获得的票证属于 root。是否可以获得属于用户的票?我想知道是否可以使用用户挂载共享目录并访问它而不需要之前执行 kinit 。

相关内容