我正在尝试挂载 NFSv4 共享,但该mount命令无法获取挂载该共享的权限。
当我尝试安装共享时,我收到以下消息:
mount.nfs4: mount(2): Permission denied
如果我尝试使用以下命令来初始化 nfs 主体: 它会返回:
kinit -k -t /etc/krb5.keytab nfs/[email protected]
kinit: Client 'nfs/[email protected]' not found in Kerberos database while getting initial credentials
以下是有关我如何尝试配置和测试该服务的所有详细信息。所有主机都是 Debian 12:
在 NFS 服务器中:
/etc/hosts文件
127.0.0.1 localhost
172.17.0.10 nfshost.domain.com nfshost
...
/etc/krb5.conf文件
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_realm = DOMAIN.COM
default_keytab_name = FILE:/etc/krb5.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
allow_weak_crypto = 0
[realms]
DOMAIN.COM = {
kdc = 172.17.0.20
master_kdc = 172.17.0.20
default_domain = domain.com
admin_server = 172.17.0.20
}
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
/etc/exports文件
/exports 172.17.0.0/16(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
/exports/users 172.17.0.0/16(rw,sync,no_subtree_check,sec=krb5)
/etc/idmapd.conf文件
[General]
Verbosity = 0
Domain = domain.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
/etc/default/nfs-kernel-server文件
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS=""
/etc/default/nfs-common文件
NEED_STATD=no
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
将 NFS 服务器条目添加到域中的命令 (AD Samba)
# kdestroy
# kinit administrator
# msktutil delete --computer-name NFSHOST --server 172.17.0.20
# msktutil -c -b "CN=COMPUTERS" -s HOST/nfshost.domain.com -h nfshost -k /etc/krb5.keytab --computer-name NFSHOST --server 172.17.0.20 --dont-expire-password --verbose --enctypes 28
在 AD 中(Samba 位于 172.17.0.20):
将以下 SPN 添加到添加的 NFS 服务器主机:
# samba-tool spn add nfs/nfshost NFSHOST$
# samba-tool spn add nfs/nfshost.domain.com NFSHOST$
# samba-tool spn add RestrictedKrbHost/nfshost NFSHOST$
# samba-tool spn add RestrictedKrbHost/nfshost.domain.com NFSHOST$
使用以下命令检查 NFS 服务器主机条目samba-tool computer show nfshost:
dn: CN=NFSHOST,CN=Computers,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: NFSHOST
instanceType: 4
whenCreated: 20230901104446.0Z
uSNCreated: 202585
name: NFSHOST
objectGUID: 305c91e0-328d-47f4-ab30-7a4c0ea951dc
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133380386868301530
primaryGroupID: 515
objectSid: S-1-5-21-2898533208-202842514-1397044296-107323
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: NFSHOST$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com
isCriticalSystemObject: FALSE
dNSHostName: nfshost.domain.com
msDS-SupportedEncryptionTypes: 28
userAccountControl: 69632
servicePrincipalName: HOST/nfshost.domain.com
servicePrincipalName: host/nfshost
servicePrincipalName: nfs/nfshost
servicePrincipalName: nfs/nfshost.domain.com
servicePrincipalName: RestrictedKrbHost/nfshost
servicePrincipalName: RestrictedKrbHost/nfshost.domain.com
whenChanged: 20230901104626.0Z
uSNChanged: 202594
distinguishedName: CN=NFSHOST,CN=Computers,DC=domain,DC=com
生成 NFS 主机密钥表:
# samba-tool domain exportkeytab --principal=nfs/nfshost.domain.com keytab.NFSHOST-nfs
返回 NFS 服务器:
从 AD 检索生成的密钥表:
scp [email protected]:/root/keytab.NFSHOST-nfs .
将其合并到/etc/krb5.keytab文件中:
# ktutil
rkt /etc/krb5.keytab
rkt /root/keytab.NFSHOST-nfs
wkt /etc/krb5.keytab
quit
# chmod 600 /etc/krb5.keytab
# chown root:root /etc/krb5.keytab
检查 SPN 是否存在:
klist -kte /etc/krb5.keytab | grep nfs/nfshost.domain.com返回以下几个:
1 01/09/2023 07:59:33 nfs/[email protected] (aes256-cts-hmac-sha1-96)
1 01/09/2023 07:59:33 nfs/[email protected] (aes128-cts-hmac-sha1-96)
重启一些服务
exportfs -rav
/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart
mount --bind /home/users /exports/users
AD和NFS服务器之间的时钟是同步的。
主机位于同一 VLAN 中,两者之间没有防火墙,任何人内部也没有防火墙。
测试:
尝试挂载共享(仍在 NFS 服务器中)
mount -t nfs4 nfshost.domain.com:/users /mnt -o sec=krb5 -v返回:
mount.nfs4: timeout set for Fri Sep 1 08:03:22 2023
mount.nfs4: trying text-based options 'sec=krb5,vers=4,addr=172.17.0.10,clientaddr=172.17.0.10'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfshost.domain.com:/users
尝试 kinit nfs 主体:返回:
kinit -k -t /etc/krb5.keytab nfs/[email protected]
kinit: Client 'nfs/[email protected]' not found in Kerberos database while getting initial credentials
/var/log/syslog文件有以下几个:
Sep 1 08:03:25 nfshost rpc.gssd[111218]: ERROR: No credentials found for connection to server nfshost.domain.com
我缺少什么来正确配置此 NFS 服务?
答案1
事实证明这是/etc/krb5.keytab文件的问题,删除该文件而不是执行kdestroy,并且在执行其余过程后,挂载成功。
我删除了该文件,因为它看起来太大(+2M)并且花费太长时间将密钥表与ktutil.
我错误地认为该kdestroy工作是清理/etc/krb5.keytab文件,但正如 中所述man 1 kdestroy,他的功能是:
“kdestroy 实用程序通过覆盖和删除凭据来销毁用户的活动 Kerberos 授权票证缓存包含它们。”