如果未在服务器中创建，则 NFS 的 Kerberos 密钥表将不起作用

我正在尝试使用 Kerberos 身份验证将目录挂载到客户端服务器。

kadmin如果我在服务器中使用创建 keytab 文件，则在挂载目录时无法获得身份验证。

sudo kadmin -p root/admin -w $KERBEROS_PASSWORD ktadd nfs/kbserver.example.com
sudo kadmin -p root/admin -w $KERBEROS_PASSWORD ktadd host/kbserver.example.com
sudo kadmin -p root/admin -w $KERBEROS_PASSWORD ktadd nfs/kube-node-0.example.com
sudo kadmin -p root/admin -w $KERBEROS_PASSWORD ktadd host/kube-node-0.example.com
udo kdestroy -A
sudo kinit -k -t /etc/krb5.keytab
sudo systemctl restart nfs-secure
sudo mount -t nfs4 -o sec=krb5 kbserver.example.com:/ /home/ec2-user/nfs-test

其结果是：

kbserver.example.com:/ /home/ec2-user/nfs-test -v
mount.nfs4: timeout set for Fri Sep  7 23:13:53 2018
mount.nfs4: trying text-based options 'sec=krb5,vers=4.1,addr=10.1.5.28,clientaddr=10.1.1.248'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.1.5.28,clientaddr=10.1.1.248'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting kbserver.example.com:/

另一方面，如果我在服务器上执行以下操作：

[ec2-user@kbserver ~]$ sudo kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:  ktadd host/kbserver.example.com
Entry for principal host/kbserver.example.com with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
...
kadmin.local:  ktadd nfs/kbserver.example.com
Entry for principal nfs/kbserver.example.com with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
...
kadmin.local:  ktadd host/kube-node-0.example.com
Entry for principal host/kube-node-0.example.com with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
...
kadmin.local:  ktadd nfs/kube-node-0.example.com
Entry for principal nfs/kube-node-0.example.com with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
...
kadmin.local: quit
sudo cat /etc/krb5.keytab | base64 -w0

然后在客户端执行以下操作，即可挂载成功：

echo $BASE_64_ENCODED | base64 -d | sudo tee /etc/krb5.keytab
sudo kdestroy -A && sudo kinit -k -t /etc/krb5.keytab && sudo systemctl restart nfs-secure
sudo mount -t nfs4 -o sec=krb5 kbserver.example.com:/ /home/ec2-user/nfs-test

---

我的journalctl日志内容如下：

Sep 12 18:03:55 kube-node-0.example.com polkitd[603]: Unregistered Authentication Agent for unix-process:8510:15795400 (system bus name :1.302, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Sep 12 18:03:59 kube-node-0.example.com sudo[8676]: ec2-user : TTY=pts/2 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/mount -t nfs4 -o sec=krb5 kbserver.example.com:/ /home/ec2-user/nfs-test
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]:
                                                        handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' (nfs/clnt20)
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: krb5_use_machine_creds: uid 0 tgtname (null)
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: Full hostname for 'kbserver.example.com' is 'kbserver.example.com'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: Full hostname for 'kube-node-0.example.com' is 'kube-node-0.example.com'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: Success getting keytab entry for 'nfs/[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: gssd_get_single_krb5_cred: principal 'nfs/[email protected]' ccache:'FILE:/tmp/krb5ccmachine_EXAMPLE.COM'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1536861839
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: creating tcp client for server kbserver.example.com
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: creating context with server [email protected]
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: doing downcall: lifetime_rec=86400 [email protected]
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]:
                                                        handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' (nfs/clnt20)
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: krb5_use_machine_creds: uid 0 tgtname (null)
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: Full hostname for 'kbserver.example.com' is 'kbserver.example.com'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: Full hostname for 'kube-node-0.example.com' is 'kube-node-0.example.com'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: Success getting keytab entry for 'nfs/[email protected]'
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1536861839
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1536861839
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: creating tcp client for server kbserver.example.com
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: creating context with server [email protected]
Sep 12 18:03:59 kube-node-0.example.com rpc.gssd[8534]: doing downcall: lifetime_rec=86400 [email protected]
Sep 12 18:0

---

我已经检查过我的 confis 和 hosts 文件是否相同并且具有正确的主机：

[ec2-user@kube-node-0 ~]$ sudo md5sum /etc/krb5.conf
808b4fd2b3c97a89d1a13a464afad6f0  /etc/krb5.conf
[ec2-user@kube-node-0 ~]$ sudo md5sum /etc/hosts
bf563e1b1288cb87f7152658c926215f  /etc/hosts

服务器：

[ec2-user@kbserver ~]$ sudo md5sum /etc/krb5.conf
808b4fd2b3c97a89d1a13a464afad6f0  /etc/krb5.conf
[ec2-user@kbserver ~]$ sudo md5sum /etc/hosts
bf563e1b1288cb87f7152658c926215f  /etc/hosts

---

到目前为止，我唯一的假设是，尽管它们使用相同的主体，但创建密钥表文件的位置很重要，但不确定这有什么关系。