能够安装一次 Kerberised NFSv4 导出,但不能随后安装。‘安装时服务器拒绝访问’;‘需要额外的预身份验证’

tag-icon tag-icon linux ubuntu nfs kerberos
能够安装一次 Kerberised NFSv4 导出,但不能随后安装。‘安装时服务器拒绝访问’;‘需要额外的预身份验证’

能够安装一次 Kerberised NFSv4 导出,但不能随后安装。‘安装时服务器拒绝访问’;‘需要额外的预身份验证’

你好,

我是 Kerberos 的新手,但对不具备安全性的 NFS 有一些经验。

我正在尝试在运行 Ubuntu 22.04 的两台主机上设置具有 krb5p 安全性的 NFS:服务器——enya.colonelpanic.local在裸机上运行全新安装的 Ubuntu Server 22.04;客户端——imogen.colonelpanic.local是一个最初运行 18.04 的虚拟机,但是当在命令中指定 v4 时,它一直回退到 NFSv3 mount,所以我想升级以查看它们都运行 22.04 是否会更幸运。

我主要指的是http://techpubs.spinlocksolutions.com/dklar/kerberos.htmlhttps://wiki.debian.org/NFS/Kerberos我没有使用 Debian Wiki 文章中概述的 GSSProxy。

我正在运行 Spinlock Solutions 文章 () 中概述的命令sudo tail -n0 -F /var/log/{*log,dmesg,messages,kerberos/{krb5kdc,kadmin,krb5lib}.log}来监视日志文件,并想知道为什么它没有为 Kerberos 日志文件生成任何输出;然后我意识到它/var/log被报告为只读文件系统,因此基于https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1874915我添加了/var/log在和ReadWriteDirectories中。/lib/systemd/system/krb5-kdc.service/lib/systemd/system/krb5-admin-server.service

有一次,当收到挂载错误时,我意识到缺少 的主体enya.colonelpanic.local(尽管我将领域的 Kerberos 服务器设置为krb.colonelpanic.local),因此我添加了这些主体,最终能够enya.colonelpanic.local:/mnt/foo在 上成功挂载imogen,但是重新启动后,imogen我无法挂载,并出现“服务器拒绝权限”错误。我还意识到enya的时钟(未使用 NTP)比的时钟imogen(使用 NTP)晚了大约 10 分钟;两者现在都在使用 NTP。

重新启动后第一次挂载尝试的imogen结果如下enya

==> /var/log/kerberos/krb5kdc.log <==
Jul 09 12:40:08 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 12:40:08 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688902808, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for krbtgt/[email protected]
Jul 09 12:40:08 enya krb5kdc[71839](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688902808, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for nfs/[email protected]

kinit无论我是否以我的用户身份 ( ) 发出获取票证,情况都是如此ansel;我也尝试过sudo -s以 root 身份执行 -ing,然后发出kinit ansel并挂载,但结果相同。后续挂载尝试导致 中没有其他输出/var/log/kerberos/krb5kdc.log

Debian Wiki 文章指出,“需要额外的预认证”错误是由于密钥表不正确造成的,但据我所知,密钥表是正确的:

ansel@enya:~$ sudo klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 host/[email protected]
   8 host/[email protected]
   8 nfs/[email protected]
   8 nfs/[email protected]
   8 host/[email protected]
   8 host/[email protected]
   8 nfs/[email protected]
   8 nfs/[email protected]
ansel@enya:~$ 

ansel@imogen:~$ sudo klist -k
[sudo] password for ansel: 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  13 host/[email protected]
  13 host/[email protected]
  16 nfs/[email protected]
  16 nfs/[email protected]
ansel@imogen:~$

我尝试删除并重新创建密钥表,以及删除我的用户(anselansel/admin)的主体,按照https://serverfault.com/a/959566/371237沒有改變。

我也发现了这个https://askubuntu.com/questions/1457852/kerberized-nfs-mounts-stopped-working-with-ubuntu-21-10-still-in-22-10关于 Ubuntu 22.04 中缺少与 GSS 有关的模块,因此确保rpcsec_gss_krb5在两台机器上都加载了该模块modprobe

其他相关配置文件和命令输出:

/etc/hostsenya(服务器)和imogen(客户端)上(我的 DNS 设置不稳定,因此我在这里指定了主机名和 FQDN):

ansel@enya:~$ cat /etc/hosts
127.0.0.1 localhost
## Changed for Kerberos setup.
#127.0.1.1 enya
192.168.2.3 enya.colonelpanic.local enya krb.colonelpanic.local krb

192.168.2.124 imogen.colonelpanic.local imogen

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ansel@enya:~$ 

ansel@imogen:~$ cat /etc/hosts
127.0.0.1       localhost
##127.0.1.1       imogen
192.168.2.124 imogen.colonelpanic.local imogen

## Changed for Kerberos setup.
#127.0.1.1 enya
192.168.2.3 enya.colonelpanic.local enya krb.colonelpanic.local krb

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ansel@imogen:~$ 



ansel@enya:~$ cat /etc/krb5.conf
[libdefaults]                                                                                                          
        default_realm = COLONELPANIC.LOCAL                                                                             
                                                                                                                       
# The following krb5.conf variables are only for MIT Kerberos.                                                         
        kdc_timesync = 1                                                                                               
        ccache_type = 4                                                                                                
        forwardable = true                                                                                             
        proxiable = true                                                                                               
                                                                                                                       
# The following encryption type specification will be used by MIT Kerberos                                             
# if uncommented.  In general, the defaults in the MIT Kerberos code are                                               
# correct and overriding these specifications only serves to disable new                                               
# encryption types as they are added, creating interoperability problems.                                              
#                                                                                                                      
# The only time when you might need to uncomment these lines and change                                                
# the enctypes is if you have local software that will break on ticket                                                 
# caches containing ticket encryption types it doesn't know about (such as                                             
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

[realms]
        COLONELPANIC.LOCAL = {
                kdc = krb.colonelpanic.local
                admin_server = krb.colonelpanic.local
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

        .colonelpanic.local = COLONELPANIC.LOCAL
        colonelpanic.local = COLONELPANIC.LOCAL
         
[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
ansel@enya:~$ 



ansel@enya:~$ sudo kadmin.local -q "listprincs"
Authenticating as principal root/[email protected] with password.
K/[email protected]
ansel/[email protected]
[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
nfs/[email protected]
nfs/[email protected]
nfs/[email protected]
ansel@enya:~$

我注意到的一件事是,我没有或 的校长。kadmin/[email protected]kadmin/[email protected]

ansel@enya:~$ cat /etc/default/nfs-kernel-server
# Number of servers to start up                                                                                        
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids" 

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".

## CHANGED FROM EMPTY. (https://wiki.debian.org/NFS/Kerberos)
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
## CHANGED (https://wiki.debian.org/NFS/Kerberos)
RPCSVCGSSDOPTS="-vvv"
ansel@enya:~$ 

ansel@enya:~$ cat /etc/default/nfs-common
# If you do not set values for the NEED_ options, they will be attempted                                               
# autodetected; this should be sufficient for most people. Valid alternatives                                          
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
## CHANGED FROM EMPTY.
NEED_STATD=yes

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
## CHANGED FROM NOTHING.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
## CHANGED FROM NOTHING.
NEED_GSSD=yes
ansel@enya:~$ 

ansel@imogen:~$ cat /etc/default/nfs-common                                                                     [2/231]
# If you do not set values for the NEED_ options, they will be attempted                                               
# autodetected; this should be sufficient for most people. Valid alternatives                                          
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
## CHANGED FROM NOTHING.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

## Added (https://wiki.debian.org/NFS/Kerberos)
RPCGSSDOPTS="-vvv"
ansel@imogen:~$ 

ansel@enya:~$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#

#/srv/nfs/mnt/foo       *(ro,sync,no_root_squash)
##/srv/nfs/mnt/bar       *(rw,sync,no_root_squash)
##/srv/nfs/mnt/baz       *(rw,sync,no_root_squash)

##/mnt/foo   *(rw,sync,no_subtree_check,sec=krb5)
/mnt/foo   gss/krb5p(rw,sync,no_subtree_check)
##/mnt/foo     *(rw,sync,no_root_squash)
ansel@enya:~$

尝试安装:

ansel@imogen:~$ klist -f
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
1 ansel@imogen:~$ sudo mount -v -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
[sudo] password for ansel: 
mount.nfs4: timeout set for Sun Jul  9 17:27:34 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
ansel@imogen:~$ 

==> /var/log/kerberos/krb5kdc.log <==
Jul 09 17:25:34 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 17:25:34 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688919934, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for krbtgt/[email protected]
Jul 09 17:25:35 enya krb5kdc[71839](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688919934, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nfs/[email protected] for nfs/[email protected]

ansel@imogen:~$ kinit
Password for [email protected]: 
ansel@imogen:~$ sudo mount -v -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
mount.nfs4: timeout set for Sun Jul  9 17:29:21 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
32 ansel@imogen:~$ 

==> /var/log/kerberos/krb5kdc.log <==
Jul 09 17:26:53 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 17:27:16 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688920036, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]

ansel@imogen:~$ sudo -s
root@imogen:/home/ansel# klist -f
klist: No credentials cache found (filename: /tmp/krb5cc_0)
root@imogen:/home/ansel# mount -vvvv -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
mount.nfs4: timeout set for Sun Jul  9 17:32:32 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
root@imogen:/home/ansel# 

==> /var/log/kerberos/krb5kdc.log <==

==> /var/log/kerberos/kadmin.log <==

==> /var/log/kerberos/krb5lib.log <==

root@imogen:/home/ansel# kinit ansel
Password for [email protected]: 
root@imogen:/home/ansel# mount -vvvv -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo
mount.nfs4: timeout set for Sun Jul  9 17:34:48 2023
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.3,clientaddr=192.168.2.124'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting enya.colonelpanic.local:/mnt/foo
root@imogen:/home/ansel# 

==> /var/log/kerberos/krb5kdc.log <==

==> /var/log/kerberos/kadmin.log <==

==> /var/log/kerberos/krb5lib.log <==

==> /var/log/kerberos/krb5kdc.log <==
Jul 09 17:32:01 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Jul 09 17:32:11 enya krb5kdc[71839](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.2.124: ISSUE: authtime 1688920331, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]

根据@user1686 的评论编辑添加额外信息:

rpc.gssd在客户端上运行,并且NEED_GSSD=yesamdRPCGSSDOPTS="-vvv"/etc/default/nfs-common在客户端上

ansel@imogen:~$ ps aux | grep rpc.gssd
root         604  0.0  0.0  12980  2020 ?        Ssl  Jul10   0:00 /usr/sbin/rpc.gssd
ansel    1792798  0.0  0.0   9212  2344 pts/1    S+   15:15   0:00 grep --color=auto rpc.gssd
ansel@imogen:~$ grep -i gss /etc/default/nfs-common
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
RPCGSSDOPTS="-vvv"
ansel@imogen:~$

rpc.gssd 日志在哪里?

安装显示在exportfs -v服务器上,但我注意到和都已gss/krb5p指定sec=sys(我只指定了gss/krb5p):

ansel@enya:~$ sudo exportfs -v
/mnt/foo        gss/krb5p(sync,wdelay,hide,no_subtree_check,sec=sys,rw,secure,root_squash,no_all_squash)
ansel@enya:~$

服务器已rpc.mountd运行:

ansel@enya:~$ ps aux | grep rpc.mountd
root      575641  0.0  0.0   5440  2712 ?        Ss   Jul09   0:00 /usr/sbin/rpc.mountd
ansel    1152704  0.0  0.0   6612  2444 pts/2    S+   15:47   0:00 grep --color=auto rpc.mountd
ansel@enya:~$

gss服务器上运行的唯一服务是rpc.gssd,即使在中NEED_SVCGSSD设置为:"yes"/etc/default/nfs-kernel-server

ansel@enya:~$ ps aux | grep gss
root       72192  0.0  0.0  12980  1552 ?        Ssl  Jul01   0:01 /usr/sbin/rpc.gssd
ansel    1157863  0.0  0.0   6608  2244 pts/2    R+   15:53   0:00 grep --color=auto gss
ansel@enya:~$ grep -i gss /etc/default/nfs-kernel-server
# Do you want to start the svcgssd daemon? It is only required for Kerberos
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"
ansel@enya:~$

编辑2:它有效!

我不确定为什么svcgssd不自动启动,但在手动启动后sudo service rpc-svcgssd start我似乎能够安装:

ansel@enya:~$ sudo service rpc-svcgssd start
ansel@enya:~$ ps aux | grep gss
root       72192  0.0  0.0  12980  1552 ?        Ssl  Jul01   0:01 /usr/sbin/rpc.gssd
root     1190509  0.0  0.0   4876  3696 ?        Ss   16:31   0:00 /usr/sbin/rpc.svcgssd
ansel    1190606  0.0  0.0   6608  2296 pts/3    S+   16:31   0:00 grep --color=auto gss
ansel@enya:~$ 

ansel@imogen:~$ sudo mount -v -t nfs4 -o sec=krb5p enya.colonelpanic.local:/mnt/foo /mnt/foo                           
[sudo] password for ansel:                                                                                             
mount.nfs4: timeout set for Tue Jul 11 16:34:43 2023                                                                   
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.3,clientaddr=192.168.2.124'                   
ansel@imogen:~$ mount | grep enya
enya.colonelpanic.local:/mnt/foo on /mnt/foo type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=192.168.2.124,local_lock=none,addr=192.168.2.3)
ansel@imogen:~$

感谢您的帮助@user1686。

安塞尔

答案1

尽管在 /etc/default/nfs-kernel-server 中将 NEED_SVCGSSD 设置为“yes”,但服务器上运行的唯一 gss 服务是 rpc.gssd:

内核gssproxy需要rpc.svcgssd处理服务器端 Kerberos“握手”。 (rpc.gssd 是客户端等效项。)

(在最近的系统上,gssproxy 是首选 - 但至少 Debian 版本的 nfs-utils 似乎仍然依赖于较旧的 rpc.svcgssd 守护程序。)

从你的描述来看,听上去像守护进程确实启动过一次(用于初始安装),但由于某种原因崩溃或停止。检查journalctl日志以找出原因。

以前的:

在收到挂载错误时,我意识到缺少 enya.colonelpanic.local 的主体(尽管我将该领域的 Kerberos 服务器设置为 krb.colonelpanic.local),

您已设置凯尔伯罗斯服务器为“krb...”,而不是NFS服务器——也就是说,这不是缺少主要错误的原因。

REALM { kdc = ... }在 krb5.conf 中的配置仅指定了 KDC,即签发票证的系统 - 它与 NFS 无关。(事实上,KDC 根本不被视为“基于主机的服务”,因此您甚至不需要为其创建host/主体 - 当然也不是nfs/主体!)

我注意到的一件事是我没有 kadmin/ 的主体[电子邮件保护]或 kadmin/[电子邮件保护]

这很正常;MIT Kerberoskadmin/admin更喜欢通用的,并且从 Kerberos 1.19 开始已停止为 kadmin 创建基于 FQDN 的主体。(文档说它kadmin/<fqdn>只是为了与 Solaris SEAM 互操作而添加的。)

/mnt/foo gss/krb5p(rw,sync,no_subtree_check)

尽管有默认注释,但这实际上是过时的语法。您的代码/etc/exports应该如下所示 - 安全模式通过 指定sec=,类似于客户端,而“客户端主机”字段正常工作:

/mnt/foo *(rw,sync,no_subtree_check,sec=krb5p)

Debian Wiki 文章指出,“需要额外的预认证”错误是由于密钥表不正确造成的,但据我所知,密钥表是正确的:

在大多数情况下,这是一个正常的“错误”——这是预授权的工作原理。如果紧接着是成功的 AS-REQ,则可以忽略它。(也就是说,这是下一个请求,指示 keytab 是否不正确。)由于您的消息后面跟着一个ISSUE:,所以这表示 keytab 正常。

(您可以用它kinit -k来确定密钥表是否具有正确的密钥,就像检查密码一样。)

从历史上看,你会向 KDC(AS)索要“krbtgt”票证,AS 只会……把它给你——安全性依赖于票证的会话密钥,该密钥使用只有你知道的密码¹进行加密,因此如果其他人以你的名义索要 krbtgt,他们就无法任何东西,因为没有密码他们就无法解锁收到的会话密钥。

但他们可以对收到的票证实施离线暴力攻击(即,尽可能多地猜测密码,而这种尝试根本不会显示在 KDC 日志中),因此“预认证”被添加到现有的 AS-REQ 过程中作为伪错误,“新”客户端会将其理解为邀请重试带有一些认证数据的 AS-REQ。

因此,这很像当 URL 需要 HTTP 身份验证(例如 HTTP Basic)时,Web 服务器向您提供 401“错误”代码 - 客户端将此错误识别为发送身份验证详细信息的邀请。

专门使用 keytabs 的主体并不严格需要启用“preauth”标志(因为强行破解随机生成的 AES 密钥是不可行的),但这也不会造成任何损害。

¹(keytab 可以被认为是“密码”。)

相关内容