** 编辑:** 我不再使用 Sabayon Linux,这个问题在其他发行版上没有发生。我建议关闭这个问题。
更新: 我意识到由于 hosts 文件错误,两台机器都将其本地名称解析为 127.0.0.1,而不是其 LAN IP 地址。一旦我更改它并尝试挂载,客户端就会显示:
mount.nfs4: timeout set for Sun Mar 31 10:33:38 2013
mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.10.200,clientaddr=192.168.10.103'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting shakuras.darwinia.lan:/
查看客户端的系统日志:
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80
rpc.idmapd[13036]: New client: 1a
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa321f0 data 0x7fffcfa320c0
rpc.gssd[13067]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1a)
rpc.gssd[13067]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
rpc.gssd[13067]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1a)
rpc.gssd[13067]: process_krb5_upcall: service is '*'
rpc.idmapd[13036]: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt1a/idmap
rpc.gssd[13067]: Full hostname for 'server.domain' is 'server.domain'
rpc.gssd[13067]: Full hostname for 'client.domain' is 'client.domain'
rpc.gssd[13067]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@REALM'
rpc.gssd[13067]: No key table entry found for root/client.domain@REALM while getting keytab entry for 'root/client.domain@REALM'
rpc.gssd[13067]: Success getting keytab entry for 'nfs/client.domain@REALM'
rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098
rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098
rpc.gssd[13067]: using FILE:/tmp/krb5cc_machine_REALM as credentials cache for machine creds
rpc.gssd[13067]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_REALM
rpc.gssd[13067]: creating context using fsuid 0 (save_uid 0)
rpc.gssd[13067]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available
rpc.gssd[13067]: WARNING: Failed while limiting krb5 encryption types for user with uid 0
rpc.gssd[13067]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_REALM for server server.domain
rpc.gssd[13067]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.domain
rpc.gssd[13067]: Full hostname for 'server.domain' is 'server.domain'
rpc.gssd[13067]: Full hostname for 'client.domain' is 'client.domain'
rpc.gssd[13067]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@REALM'
rpc.gssd[13067]: No key table entry found for root/client.domain@REALM while getting keytab entry for 'root/client.domain@REALM'
rpc.gssd[13067]: Success getting keytab entry for 'nfs/client.domain@REALM'
rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098
rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098
rpc.gssd[13067]: using FILE:/tmp/krb5cc_machine_REALM as credentials cache for machine creds
rpc.gssd[13067]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_REALM
rpc.gssd[13067]: creating context using fsuid 0 (save_uid 0)
rpc.gssd[13067]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available
rpc.gssd[13067]: WARNING: Failed while limiting krb5 encryption types for user with uid 0
rpc.gssd[13067]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_REALM for server server.domain
rpc.gssd[13067]: WARNING: Failed to create machine krb5 context with any credentials cache for server server.domain
rpc.gssd[13067]: doing error downcall
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80
rpc.gssd[13067]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1a
rpc.idmapd[13036]: Stale client: 1a
rpc.idmapd[13036]: -> closed /var/lib/nfs/rpc_pipefs//nfs/clnt1a/idmap
服务器的系统日志仅显示:
krb5kdc[31142]: AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.10.103: NEEDED_PREAUTH: nfs/client.domain@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
客户端 ktutil:
ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 nfs/client.domain@REALM
服务器 ktutil:
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 nfs/server.domain@REALM
上一篇:
我正在尝试使用 Kerberos 设置安全的 NFS4 服务器。我的网络有一个本地 DNS 服务器。客户端和服务器都可以(反向)相互查找。起初,我遵循了本教程:
http://wiki.paraf.in/~parafin/linux/nfs4krb5
由于我使用的是基于 gentoo 的 Sabayon Linux。然后我意识到 NFS 导出文件的语法可能不正确。目前,NFS 导出的设置如下:
/export gss/krb5p(rw,insecure,async,no_root_squash,no_subtree_check)
客户端可以挂载远程文件系统。但是,尝试将其更改为 Kerberos:
/export gss/krb5(rw,insecure,async,no_root_squash,no_subtree_check)
客户端无法再挂载文件系统。 mount 命令:
mount -o sec=krb5 -t nfs4 server.domain:/export /mnt/nfs/ -vvv
似乎永远挂起。几分钟后,我可以看到客户端的 dmesg:
nfs:服务器 server.domain 没有响应,超时
但命令仍然挂起。一些其他事实:
- KDC 和 NFS 服务器是同一台机器
- idmap、rpc.svcgssd 和 nfs 在服务器上运行
- idmap、rpc.gssd 和 nfs 在客户端上运行
- 内核支持 gss rpc
- 客户端和服务器的 Keytab 文件都放在 /etc/krb5.keytab 中,只有 root 可以读取
尝试增加双方的详细程度,当我连接时,我可以看到:服务器:
rpc.svcgssd[23856]: sname = nfs/client.domain@REALM
rpc.svcgssd[23856]: DEBUG: serialize_krb5_ctx: lucid version!
rpc.svcgssd[23856]: prepare_krb5_rfc4121_buffer: protocol 1
rpc.svcgssd[23856]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
rpc.svcgssd[23856]: doing downcall
rpc.svcgssd[23856]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1364700223 (33977 from now), clnt: [email protected], uid: -1, gid: -1, num aux grps: 0:
rpc.svcgssd[23856]: sending null reply
rpc.svcgssd[23856]: writing message: [BINARY MESSAGE]
rpc.svcgssd[23856]: finished handling null request
rpc.svcgssd[23856]: entering poll
客户:
rpc.gssd[20295]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt64)
rpc.gssd[20295]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
rpc.gssd[20295]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt64)
rpc.gssd[20295]: process_krb5_upcall: service is '*'
rpc.gssd[20295]: Full hostname for 'server.domain' is 'server.domain'
rpc.gssd[20295]: Full hostname for 'localhost' is 'localhost'
rpc.gssd[20295]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@REALM'
rpc.gssd[20295]: No key table entry found for root/localhost@REALM while getting keytab entry for 'root/localhost@REALM'
rpc.gssd[20295]: No key table entry found for nfs/localhost@REALM while getting keytab entry for 'nfs/localhost@REALM'
rpc.gssd[20295]: No key table entry found for host/localhost@REALM while getting keytab entry for 'host/localhost@REALM'
rpc.gssd[20295]: Success getting keytab entry for nfs/*@REALM
rpc.gssd[20295]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364700223
rpc.gssd[20295]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364700223
rpc.gssd[20295]: using FILE:/tmp/krb5cc_machine_REALM as credentials cache for machine creds
rpc.gssd[20295]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_REALM
rpc.gssd[20295]: creating context using fsuid 0 (save_uid 0)
rpc.gssd[20295]: creating tcp client for server server.domain
rpc.gssd[20295]: DEBUG: port already set to 2049
rpc.gssd[20295]: creating context with server [email protected]
rpc.gssd[20295]: DEBUG: serialize_krb5_ctx: lucid version!
rpc.gssd[20295]: prepare_krb5_rfc4121_buffer: protocol 1
rpc.gssd[20295]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32
rpc.gssd[20295]: doing downcall
我不确定它为什么尝试获取 CLIENT$@REALM 的密钥(客户端名称末尾的美元符号来自哪里?)