NFS 挂载时 Kerberos 预身份验证失败

tag-icon tag-icon nfs kerberos pam
NFS 挂载时 Kerberos 预身份验证失败

我有以下 nfs 导出:

/home/users     192.168.1.0/24(rw,sec=krb5p,no_subtree_check,nohide,async,anonuid=65534,anongid=65534)

当我尝试将其安装到客户端上时,我得到:

client:/home # mount -t nfs4 -o sec=krb5p server:/home/users /home/users -vvv
mount.nfs4: timeout set for Sun May 12 21:13:56 2013
mount.nfs4: trying text-based options 'sec=krb5p,addr=192.168.1.2,clientaddr=192.168.1.62'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting server:/home/users

在服务器上syslog我得到:

May 12 19:59:48 server krb5kdc[2704]: AS_REQ (4 etypes {18 17 16 23}) 192.168.1.62: NEEDED_PREAUTH: nfs/client.localdomain@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
May 12 19:59:48 server krb5kdc[2704]: preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
May 12 19:59:48 server krb5kdc[2704]: AS_REQ (4 etypes {18 17 16 23}) 192.168.1.62: PREAUTH_FAILED: nfs/client.localdomain@REALM for krbtgt/REALM@REALM, Decrypt integrity check failed

据我所知,密钥表已正确设置:

客户:

client:/home # ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    4                        nfs/client.localdomain@REALM
   2    4                        nfs/client.localdomain@REALM
   3    4                        nfs/client.localdomain@REALM
   4    4                        nfs/client.localdomain@REALM
   5    4                       host/client.localdomain@REALM
   6    4                       host/client.localdomain@REALM
   7    4                       host/client.localdomain@REALM
   8    4                       host/client.localdomain@REALM

服务器:

root@server:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3                     host/server.localdomain@REALM
   2    3                     host/server.localdomain@REALM
   3    3                     host/server.localdomain@REALM
   4    3                     host/server.localdomain@REALM
   5    2                     cifs/server.localdomain@REALM
   6    2                   HTTP/server.localdomain@REALM
   7    2                   HTTP/server.localdomain@REALM
   8    2                   HTTP/server.localdomain@REALM
   9    2                   HTTP/server.localdomain@REALM
  10    2                      nfs/server.localdomain@REALM
  11    2                      nfs/server.localdomain@REALM
  12    2                      nfs/server.localdomain@REALM
  13    2                      nfs/server.localdomain@REALM

kinit客户端上的Kerberos 用户身份验证工作正常。

当我尝试在服务器本身上进行相同的 nfs 挂载时,它会成功。

什么是预认证?预认证失败的可能原因有哪些?

答案1

事实证明,重新生成客户端密钥表可以以某种方式解决问题。

答案2

为了供将来遇到类似问题的人参考,我设法通过从用户的 keytab 文件中清除密钥,然后删除用户,然后重新添加用户来解决这个问题。例如:

#kadmin.local 复制代码

purgekeys 用户

delprinc 用户

addprinc-randkey 用户

ktadd 用户

然后将 /etc/krb5.keytab 文件重新分发给所有客户端。

它是不是只需删除并重新创建用户即可。我必须先清除密钥。

相关内容