当 Apache httpd 尝试访问使用sec=krb5p和可能还有其他sec=krb选项自动挂载的用户目录时,gssproxy会发出失败消息,并且 Web 服务器会回复403 Forbidden。 gssproxy 上的调试选项还不够清晰。
为了排除 noneRPCGSS问题,当/tmp 中存在403有效的所有者 uidNumber 48 (apache) 时,不会发出,并且 Web 服务器将显示相应的页面。但是,这是由于 的行为。仍然发出相同的失败消息。KRB5CCrpc.gssdgssproxy
gssproxy: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "nfs-client", euid: 0, socket: (null)
gssproxy: gssproxy[639]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
# cat /etc/gssproxy/gssproxy.conf
[gssproxy]
[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = 48
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
# klist -ke /var/lib/gssproxy/clients/$(id -u apache).keytab
Keytab name: FILE:/var/lib/gssproxy/clients/48.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 apache/[email protected] (aes256-cts-hmac-sha1-96)
2 apache/[email protected] (aes128-cts-hmac-sha1-96)
2 apache/[email protected] (camellia256-cts-cmac)
2 apache/[email protected] (camellia128-cts-cmac)
# cat /etc/systemd/system/gssproxy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/sbin/gssproxy -D --debug
答案1
我使用 strace 看到 gssproxy 正在 /var/kerberos/krb5/user/48/client.keytab 中查找密钥表。我还需要设置 selinux 上下文:
chcon -t krb5_keytab_t /var/kerberos/krb5/user/48/client.keytab
ls -lZ /var/kerberos/krb5/user/48/client.keytab
-r--------. apache apache unconfined_u:object_r:krb5_keytab_t:s0 /var/kerberos/krb5/user/48/client.keytab
看起来 HTTP 节优先于 UID 48 的 nfs-client 节。