我需要在现有的 AD 环境中部署具有 Kerberos 身份验证的 NFSv4,但是,必须在不对 KDC 进行任何更改的情况下完成此操作...
因此我认为我需要重新使用主机凭据来验证服务器。但是,这似乎不起作用,我就是搞不清楚为什么。
我正在使用 CentOS 6。我们一直在将 Kerberos+LDAP 与许多其他服务(通过 PAM 的 SSH、OpenAFS 等)结合使用。
为了简单起见,暂时用同一台机器同时充当客户端和服务器的角色。
我的配置如下:
在 /etc/sysconfig/nfs 中:
SECURE_NFS="yes"
RPCGSSDARGS="-vvvvvvv"
RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii"
这里的重要部分是传递给 rpc.svcgssd 的“-n”选项(来自手册页:“使用系统默认凭据(host/FQDN@REALM)而不是默认的 nfs/FQDN@REALM。”)
在 /etc/idmapd.conf 中我得到:
[General]
Verbosity = 3
Domain = mycompany.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch
在 /etc/krb5.conf 中我得到:
[libdefaults]
default_realm = MYCOMPANY.COM
ticket_lifetime = 25h
renew_lifetime = 120h
forwardable = true
proxiable = true
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
allow_weak_crypto = true
chpw_prompt = true
[realms]
MYCOMPANY.COM = {
default_domain = mycompany.com
kpasswd_server = dc.mycompany.com
admin_server = dc.mycompany.com
kdc = dc.mycompany.com
v4_name_convert = {
host = {
rcmd = host
}
}
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
[appdefaults]
pkinit_pool = DIR:/etc/pki/tls/certs/
pkinit_anchors = DIR:/etc/pki/tls/certs/
pam = {
external = true
krb4_convert = false
krb4_convert_524 = false
krb4_use_as_req = false
ticket_lifetime = 25h
use_shmem = sshd
}
在 /etc/exports 中:
/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5)
/exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)
所以现在如果我尝试通过运行来挂载这个 NFS 共享
mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt
作为 root,我得到:
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "nfs-srv-1:/"
mount: node: "/mnt"
mount: types: "nfs4"
mount: opts: "rw,sec=krb5"
final mount options: 'sec=krb5'
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "nfs-srv-1:/"
mount: external mount: argv[2] = "/mnt"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Thu Sep 3 15:19:19 2015
mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs-srv-1:/
并在日志中:
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]'
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0)
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected]
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b
票证缓存的内容(为了稍后执行,请忽略时间戳...):
Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM
Default principal: host/[email protected]
Valid starting Expires Service principal
09/04/15 10:34:34 09/05/15 11:34:34 krbtgt/[email protected]
renew until 09/09/15 10:34:34
似乎它找到了我的主机凭据,但无法初始化 Kerberos 5 上下文。我不知道该怎么办,你能帮我吗?
如果您需要更多详细信息,请告诉我。
提前致谢。