无需创建新服务主体即可使用 Kerberos 的 NFSv4

无需创建新服务主体即可使用 Kerberos 的 NFSv4

我需要在现有的 AD 环境中部署具有 Kerberos 身份验证的 NFSv4,但是,必须在不对 KDC 进行任何更改的情况下完成此操作...

因此我认为我需要重新使用主机凭据来验证服务器。但是,这似乎不起作用,我就是搞不清楚为什么。

我正在使用 CentOS 6。我们一直在将 Kerberos+LDAP 与许多其他服务(通过 PAM 的 SSH、OpenAFS 等)结合使用。

为了简单起见,暂时用同一台机器同时充当客户端和服务器的角色。

我的配置如下:

在 /etc/sysconfig/nfs 中:

SECURE_NFS="yes"
RPCGSSDARGS="-vvvvvvv"
RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii"

这里的重要部分是传递给 rpc.svcgssd 的“-n”选项(来自手册页:“使用系统默认凭据(host/FQDN@REALM)而不是默认的 nfs/FQDN@REALM。”)

在 /etc/idmapd.conf 中我得到:

[General]
Verbosity = 3
Domain = mycompany.com


[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

[Translation]

Method = nsswitch

在 /etc/krb5.conf 中我得到:

[libdefaults]
 default_realm = MYCOMPANY.COM
 ticket_lifetime = 25h
 renew_lifetime = 120h
 forwardable = true
 proxiable = true
 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
 allow_weak_crypto = true
 chpw_prompt = true

[realms]
 MYCOMPANY.COM = {
  default_domain = mycompany.com
  kpasswd_server = dc.mycompany.com
  admin_server = dc.mycompany.com
  kdc = dc.mycompany.com

  v4_name_convert = {
     host = {
         rcmd = host
     }
  }
 }
[domain_realm]
 .mycompany.com = MYCOMPANY.COM
[appdefaults]
   pkinit_pool =  DIR:/etc/pki/tls/certs/
   pkinit_anchors = DIR:/etc/pki/tls/certs/
 pam = {
   external = true
   krb4_convert =  false 
   krb4_convert_524 =  false 
   krb4_use_as_req =  false 
   ticket_lifetime = 25h
   use_shmem = sshd
 }

在 /etc/exports 中:

/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5)
/exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)

所以现在如果我尝试通过运行来挂载这个 NFS 共享

mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt

作为 root,我得到:

mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "nfs-srv-1:/"
mount: node:  "/mnt"
mount: types: "nfs4"
mount: opts:  "rw,sec=krb5"
final mount options: 'sec=krb5'
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfs-srv-1:/"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Thu Sep  3 15:19:19 2015
mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-srv-1:/

并在日志中:

Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c
Sep  3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b

票证缓存的内容(为了稍后执行,请忽略时间戳...):

Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Default principal: host/[email protected]

Valid starting     Expires            Service principal
09/04/15 10:34:34  09/05/15 11:34:34  krbtgt/[email protected]
    renew until 09/09/15 10:34:34

似乎它找到了我的主机凭据,但无法初始化 Kerberos 5 上下文。我不知道该怎么办,你能帮我吗?

如果您需要更多详细信息,请告诉我。

提前致谢。

相关内容