为什么在挂载 Kerberized NFS 共享时出现“无凭据缓存”错误?

为什么在挂载 Kerberized NFS 共享时出现“无凭据缓存”错误?

我在本地网络上有两个系统:nfsclient (CentOS 7) 和 nfsserver (CentOS 6)。这些名称正确解析为它们的 IP 地址,并且 Kerberos 在它们之间运行(nfsserver 是 KDC)。我在 nfsserver 上导出了 Kerberized NFSv4 共享;我的/etc/exports如下:

/export                 *(rw,sync,fsid=0,no_subtree_check,sec=krb5p)                   
/export/home            *(rw,sync,no_subtree_check,no_root_squash,sec=krb5p)

我可以从 nfsclient 看到这些导出:

[root@nfsclient ~]# showmount -e nfsserver
Export list for nfsserver:
/export/home *
/export      *

如果我删除 /etc/exports 中的 sec=krb5p 选项,我可以使用 nfsclient 挂载共享

[root@nfsclient ~]# mount -t nfs4 nfsserver:/ /mnt/nfs

然而,当 NFS 采用 Kerberized 时,事情就不那么顺利了:

[root@nfsclient ~]# mount -t nfs4 -o sec=krb5p nfsserver:/ /mnt/nfs
mount.nfs4: access denied by server while mounting nfsserver:/

这伴随着 /var/log/messages 中一系列重复的错误消息:

Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

服务器上的日志中没有显示任何内容。在客户端上运行 klist 显示 root 在 /tmp/krb5cc_0 处有凭据缓存,因此我认为 gss-proxy 存在问题。

/etc/gssproxy/gssproxy.conf:

[gssproxy]

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

[service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

因此 gss-proxy 必须在 /var/lib/gssproxy/clients 中查找凭据缓存。它还从 /etc/krb5.keytab 获取密钥(其中包含主体 nfs/nfsclient 和 host/nfsclient 的密钥)。但是,nfsclient 上的 /var/lib/gssproxy/clients 似乎始终为空。

我在这里错过了什么吗?我无法弄清楚安装此共享到底出了什么问题。

答案1

定义缓存路径时的默认文件配置存在问题。尝试使用以下客户端配置/etc/gssproxy/gssproxy.conf

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/tmp/krb5cc_%U
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
  debug = true

答案2

确保您的客户端已加入域。

ipa-client-install --force-join

然后确保您有票

kinit admin

然后仔细检查 krb5.keytab

restorecon -v /etc/krb5.keytab

确保您的客户端位于密钥表中

kinit -k

host/ < client > . < domain > @REALM

然后你应该能够安装sec=krb5p

相关内容