能够安装一次 Kerberised NFSv4 导出,但不能随后安装。‘安装时服务器拒绝访问’;‘需要额外的预身份验证’
你好,
我是 Kerberos 的新手,但对不具备安全性的 NFS 有一些经验。
我正在尝试在运行 Ubuntu 22.04 的两台主机上设置具有 krb5p 安全性的 NFS:服务器——enya.colonelpanic.local
在裸机上运行全新安装的 Ubuntu Server 22.04;客户端——imogen.colonelpanic.local
是一个最初运行 18.04 的虚拟机,但是当在命令中指定 v4 时,它一直回退到 NFSv3 mount
,所以我想升级以查看它们都运行 22.04 是否会更幸运。
我主要指的是http://techpubs.spinlocksolutions.com/dklar/kerberos.html和https://wiki.debian.org/NFS/Kerberos我没有使用 Debian Wiki 文章中概述的 GSSProxy。
我正在运行 Spinlock Solutions 文章 () 中概述的命令sudo tail -n0 -F /var/log/{*log,dmesg,messages,kerberos/{krb5kdc,kadmin,krb5lib}.log}
来监视日志文件,并想知道为什么它没有为 Kerberos 日志文件生成任何输出;然后我意识到它/var/log
被报告为只读文件系统,因此基于https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1874915我添加了/var/log
在和ReadWriteDirectories
中。/lib/systemd/system/krb5-kdc.service
/lib/systemd/system/krb5-admin-server.service
有一次,当收到挂载错误时,我意识到缺少 的主体enya.colonelpanic.local
(尽管我将领域的 Kerberos 服务器设置为krb.colonelpanic.local
),因此我添加了这些主体,最终能够enya.colonelpanic.local:/mnt/foo
在 上成功挂载imogen
,但是重新启动后,imogen
我无法挂载,并出现“服务器拒绝权限”错误。我还意识到enya
的时钟(未使用 NTP)比的时钟imogen
(使用 NTP)晚了大约 10 分钟;两者现在都在使用 NTP。
重新启动后第一次挂载尝试的imogen
结果如下enya
:
==> /var/log/kerberos/krb5kdc.log <==
Jul 09 12:40:08 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 12:40:08 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688902808, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for krbtgt/[email protected]
Jul 09 12:40:08 enya krb5kdc[71839](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688902808, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for nfs/[email protected]
kinit
无论我是否以我的用户身份 ( ) 发出获取票证,情况都是如此ansel
;我也尝试过sudo -s
以 root 身份执行 -ing,然后发出kinit ansel
并挂载,但结果相同。后续挂载尝试导致 中没有其他输出/var/log/kerberos/krb5kdc.log
。
Debian Wiki 文章指出,“需要额外的预认证”错误是由于密钥表不正确造成的,但据我所知,密钥表是正确的:
ansel@enya:~$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 host/[email protected]
8 host/[email protected]
8 nfs/[email protected]
8 nfs/[email protected]
8 host/[email protected]
8 host/[email protected]
8 nfs/[email protected]
8 nfs/[email protected]
ansel@enya:~$
ansel@imogen:~$ sudo klist -k
[sudo] password for ansel:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
13 host/[email protected]
13 host/[email protected]
16 nfs/[email protected]
16 nfs/[email protected]
ansel@imogen:~$
我尝试删除并重新创建密钥表,以及删除我的用户(ansel
和ansel/admin
)的主体,按照https://serverfault.com/a/959566/371237沒有改變。
我也发现了这个https://askubuntu.com/questions/1457852/kerberized-nfs-mounts-stopped-working-with-ubuntu-21-10-still-in-22-10关于 Ubuntu 22.04 中缺少与 GSS 有关的模块,因此确保rpcsec_gss_krb5
在两台机器上都加载了该模块modprobe
。
其他相关配置文件和命令输出:
/etc/hosts
在enya
(服务器)和imogen
(客户端)上(我的 DNS 设置不稳定,因此我在这里指定了主机名和 FQDN):
ansel@enya:~$ cat /etc/hosts
127.0.0.1 localhost
## Changed for Kerberos setup.
#127.0.1.1 enya
192.168.2.3 enya.colonelpanic.local enya krb.colonelpanic.local krb
192.168.2.124 imogen.colonelpanic.local imogen
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ansel@enya:~$
ansel@imogen:~$ cat /etc/hosts
127.0.0.1 localhost
##127.0.1.1 imogen
192.168.2.124 imogen.colonelpanic.local imogen
## Changed for Kerberos setup.
#127.0.1.1 enya
192.168.2.3 enya.colonelpanic.local enya krb.colonelpanic.local krb
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ansel@imogen:~$
ansel@enya:~$ cat /etc/krb5.conf
[libdefaults]
default_realm = COLONELPANIC.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
COLONELPANIC.LOCAL = {
kdc = krb.colonelpanic.local
admin_server = krb.colonelpanic.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.colonelpanic.local = COLONELPANIC.LOCAL
colonelpanic.local = COLONELPANIC.LOCAL
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
ansel@enya:~$
ansel@enya:~$ sudo kadmin.local -q "listprincs"
Authenticating as principal root/[email protected] with password.
K/[email protected]
ansel/[email protected]
[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
nfs/[email protected]
nfs/[email protected]
nfs/[email protected]
ansel@enya:~$
我注意到的一件事是,我没有或 的校长。kadmin/[email protected]
kadmin/[email protected]
ansel@enya:~$ cat /etc/default/nfs-kernel-server
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
## CHANGED FROM EMPTY. (https://wiki.debian.org/NFS/Kerberos)
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
## CHANGED (https://wiki.debian.org/NFS/Kerberos)
RPCSVCGSSDOPTS="-vvv"
ansel@enya:~$
ansel@enya:~$ cat /etc/default/nfs-common
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
## CHANGED FROM EMPTY.
NEED_STATD=yes
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
## CHANGED FROM NOTHING.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
## CHANGED FROM NOTHING.
NEED_GSSD=yes
ansel@enya:~$
ansel@imogen:~$ cat /etc/default/nfs-common [2/231]
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
## CHANGED FROM NOTHING.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
## Added (https://wiki.debian.org/NFS/Kerberos)
RPCGSSDOPTS="-vvv"
ansel@imogen:~$
ansel@enya:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
#/srv/nfs/mnt/foo *(ro,sync,no_root_squash)
##/srv/nfs/mnt/bar *(rw,sync,no_root_squash)
##/srv/nfs/mnt/baz *(rw,sync,no_root_squash)
##/mnt/foo *(rw,sync,no_subtree_check,sec=krb5)
/mnt/foo gss/krb5p(rw,sync,no_subtree_check)
##/mnt/foo *(rw,sync,no_root_squash)
ansel@enya:~$
尝试安装:
ansel@imogen:~$ klist -f
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
1 ansel@imogen:~$ sudo mount -v -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
[sudo] password for ansel:
mount.nfs4: timeout set for Sun Jul 9 17:27:34 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
ansel@imogen:~$
==> /var/log/kerberos/krb5kdc.log <==
Jul 09 17:25:34 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 17:25:34 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688919934, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for krbtgt/[email protected]
Jul 09 17:25:35 enya krb5kdc[71839](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688919934, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for nfs/[email protected]
ansel@imogen:~$ kinit
Password for [email protected]:
ansel@imogen:~$ sudo mount -v -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
mount.nfs4: timeout set for Sun Jul 9 17:29:21 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
32 ansel@imogen:~$
==> /var/log/kerberos/krb5kdc.log <==
Jul 09 17:26:53 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 17:27:16 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688920036, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
ansel@imogen:~$ sudo -s
root@imogen:/home/ansel# klist -f
klist: No credentials cache found (filename: /tmp/krb5cc_0)
root@imogen:/home/ansel# mount -vvvv -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
mount.nfs4: timeout set for Sun Jul 9 17:32:32 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
root@imogen:/home/ansel#
==> /var/log/kerberos/krb5kdc.log <==
==> /var/log/kerberos/kadmin.log <==
==> /var/log/kerberos/krb5lib.log <==
root@imogen:/home/ansel# kinit ansel
Password for [email protected]:
root@imogen:/home/ansel# mount -vvvv -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
mount.nfs4: timeout set for Sun Jul 9 17:34:48 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
root@imogen:/home/ansel#
==> /var/log/kerberos/krb5kdc.log <==
==> /var/log/kerberos/kadmin.log <==
==> /var/log/kerberos/krb5lib.log <==
==> /var/log/kerberos/krb5kdc.log <==
Jul 09 17:32:01 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 17:32:11 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688920331, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
根据@user1686 的评论编辑添加额外信息:
rpc.gssd
在客户端上运行,并且NEED_GSSD=yes
amdRPCGSSDOPTS="-vvv"
在/etc/default/nfs-common
在客户端上
ansel@imogen:~$ ps aux | grep rpc.gssd
root 604 0.0 0.0 12980 2020 ? Ssl Jul10 0:00 /usr/sbin/rpc.gssd
ansel 1792798 0.0 0.0 9212 2344 pts/1 S+ 15:15 0:00 grep --color=auto rpc.gssd
ansel@imogen:~$ grep -i gss /etc/default/nfs-common
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
RPCGSSDOPTS="-vvv"
ansel@imogen:~$
rpc.gssd 日志在哪里?
安装显示在exportfs -v
服务器上,但我注意到和都已gss/krb5p
指定sec=sys
(我只指定了gss/krb5p
):
ansel@enya:~$ sudo exportfs -v
/mnt/foo gss/krb5p(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
ansel@enya:~$
服务器已rpc.mountd
运行:
ansel@enya:~$ ps aux | grep rpc.mountd
root 575641 0.0 0.0 5440 2712 ? Ss Jul09 0:00 /usr/sbin/rpc.mountd
ansel 1152704 0.0 0.0 6612 2444 pts/2 S+ 15:47 0:00 grep --color=auto rpc.mountd
ansel@enya:~$
gss
服务器上运行的唯一服务是rpc.gssd
,即使在中NEED_SVCGSSD
设置为:"yes"
/etc/default/nfs-kernel-server
ansel@enya:~$ ps aux | grep gss
root 72192 0.0 0.0 12980 1552 ? Ssl Jul01 0:01 /usr/sbin/rpc.gssd
ansel 1157863 0.0 0.0 6608 2244 pts/2 R+ 15:53 0:00 grep --color=auto gss
ansel@enya:~$ grep -i gss /etc/default/nfs-kernel-server
# Do you want to start the svcgssd daemon? It is only required for Kerberos
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"
ansel@enya:~$
编辑2:它有效!
我不确定为什么svcgssd
不自动启动,但在手动启动后sudo service rpc-svcgssd start
我似乎能够安装:
ansel@enya:~$ sudo service rpc-svcgssd start
ansel@enya:~$ ps aux | grep gss
root 72192 0.0 0.0 12980 1552 ? Ssl Jul01 0:01 /usr/sbin/rpc.gssd
root 1190509 0.0 0.0 4876 3696 ? Ss 16:31 0:00 /usr/sbin/rpc.svcgssd
ansel 1190606 0.0 0.0 6608 2296 pts/3 S+ 16:31 0:00 grep --color=auto gss
ansel@enya:~$
ansel@imogen:~$ sudo mount -v -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
[sudo] password for ansel:
mount.nfs4: timeout set for Tue Jul 11 16:34:43 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
ansel@imogen:~$ mount | grep enya
enya.colonelpanic.local:/mnt/foo on /mnt/foo type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.2.124,local_lock=none,addr=192.168.2.3)
ansel@imogen:~$
感谢您的帮助@user1686。
安塞尔
答案1
尽管在 /etc/default/nfs-kernel-server 中将 NEED_SVCGSSD 设置为“yes”,但服务器上运行的唯一 gss 服务是 rpc.gssd:
内核gssproxy
需要rpc.svcgssd
处理服务器端 Kerberos“握手”。 (rpc.gssd 是客户端等效项。)
(在最近的系统上,gssproxy 是首选 - 但至少 Debian 版本的 nfs-utils 似乎仍然依赖于较旧的 rpc.svcgssd 守护程序。)
从你的描述来看,听上去像守护进程确实启动过一次(用于初始安装),但由于某种原因崩溃或停止。检查journalctl
日志以找出原因。
以前的:
在收到挂载错误时,我意识到缺少 enya.colonelpanic.local 的主体(尽管我将该领域的 Kerberos 服务器设置为 krb.colonelpanic.local),
您已设置凯尔伯罗斯服务器为“krb...”,而不是NFS服务器——也就是说,这不是缺少主要错误的原因。
您REALM { kdc = ... }
在 krb5.conf 中的配置仅指定了 KDC,即签发票证的系统 - 它与 NFS 无关。(事实上,KDC 根本不被视为“基于主机的服务”,因此您甚至不需要为其创建host/
主体 - 当然也不是nfs/
主体!)
这很正常;MIT Kerberoskadmin/admin
更喜欢通用的,并且从 Kerberos 1.19 开始已停止为 kadmin 创建基于 FQDN 的主体。(文档说它kadmin/<fqdn>
只是为了与 Solaris SEAM 互操作而添加的。)
/mnt/foo gss/krb5p(rw,sync,no_subtree_check)
尽管有默认注释,但这实际上是过时的语法。您的代码/etc/exports
应该如下所示 - 安全模式通过 指定sec=
,类似于客户端,而“客户端主机”字段正常工作:
/mnt/foo *(rw,sync,no_subtree_check,sec=krb5p)
Debian Wiki 文章指出,“需要额外的预认证”错误是由于密钥表不正确造成的,但据我所知,密钥表是正确的:
在大多数情况下,这是一个正常的“错误”——这是预授权的工作原理。如果紧接着是成功的 AS-REQ,则可以忽略它。(也就是说,这是下一个请求,指示 keytab 是否不正确。)由于您的消息后面跟着一个ISSUE:
,所以这表示 keytab 正常。
(您可以用它kinit -k
来确定密钥表是否具有正确的密钥,就像检查密码一样。)
从历史上看,你会向 KDC(AS)索要“krbtgt”票证,AS 只会……把它给你——安全性依赖于票证的会话密钥,该密钥使用只有你知道的密码¹进行加密,因此如果其他人以你的名义索要 krbtgt,他们就无法做任何东西,因为没有密码他们就无法解锁收到的会话密钥。
但他们可以对收到的票证实施离线暴力攻击(即,尽可能多地猜测密码,而这种尝试根本不会显示在 KDC 日志中),因此“预认证”被添加到现有的 AS-REQ 过程中作为伪错误,“新”客户端会将其理解为邀请重试带有一些认证数据的 AS-REQ。
因此,这很像当 URL 需要 HTTP 身份验证(例如 HTTP Basic)时,Web 服务器向您提供 401“错误”代码 - 客户端将此错误识别为发送身份验证详细信息的邀请。
专门使用 keytabs 的主体并不严格需要启用“preauth”标志(因为强行破解随机生成的 AES 密钥是不可行的),但这也不会造成任何损害。
¹(keytab 可以被认为是“密码”。)