我正在设置一个使用 Kerberos 身份验证的 NFSv4 共享文件夹。我面临的问题是,当客户端计算机上的用户运行时mount /mnt
(请参阅下面的 fstab 配置),他无法访问 /mnt 目录。我猜这是由于 Kerberos 票证上的权限。事实上,当我这样做时,我只获得属于 root 的票证。
客户端 = 192.168.1.2 和服务器 = 192.168.1.1 均运行 Ubuntu 18.04.1
这里是命令行:
user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'
user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied
user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR
user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]
Valid starting Expires Service principal
10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/[email protected]
renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/[email protected]
renew until 11/09/2018 16:53:42
root@client:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/[email protected]
3 nfs/[email protected]
我发现当我使用用户权限对 nfs/client.domain.fr 执行“kinit”然后运行 mount 命令时,我可以访问 /mnt 目录
user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab
keytab specified, forcing -k
user@client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/[email protected]
Valid starting Expires Service principal
10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/[email protected]
renew until 11/09/2018 17:22:59
user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/
user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR
user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR
[sudo] Mot de passe de user :
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]
Valid starting Expires Service principal
10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/[email protected]
renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/[email protected]
renew until 11/09/2018 17:23:35
我的配置文件:
客户端计算机上的 /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0
服务器上的 /etc/fstab:
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
/home/media /export/media none bind 0 0
服务器上的 /etc/exports:
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
客户端和服务器上均存在 uid=1000 和 gid=1000 的用户。我还尝试了 root_squash 选项。
客户端和服务器上的 /etc/krb5.conf:
[logging]
default = FILE:/tmp/krb5libs.log
kdc = FILE:/tmp/krb5kdc.log
admin_server = FILE:/tmp/kadmind.log
[libdefaults]
default_realm = DOMAIN.FR
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
DOMAIN.FR = {
kdc = kdc.domain.fr
admin_server = kerberos.domain.fr
default_domain = domain.fr
}
[domain_realm]
.domain.fr = DOMAIN.FR
domain.fr = DOMAIN.FR
服务器上的 /etc/default/nfs-kernel-server:
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"
客户端和服务器上的 /etc/default/nfs-common:
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
客户端和服务器上的 /etc/hosts:
127.0.0.1 localhost
# server
192.168.1.1 server.domain.fr server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr client
kdc的日志:
sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for krbtgt/[email protected]
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for nfs/[email protected]
因此,现在我只能在客户端计算机上挂载共享文件夹并以 root 用户身份访问它,因为我获得的票证属于 root。是否可以获取属于用户的票证?我想知道是否可以在不执行 kinit 的情况下以用户身份挂载共享目录并访问它。
如果您需要更多信息或对我的配置有疑问,请不要犹豫。