我在本地网络上有两个系统:nfsclient (CentOS 7) 和 nfsserver (CentOS 6)。这些名称正确解析为它们的 IP 地址,并且 Kerberos 在它们之间运行(nfsserver 是 KDC)。我在 nfsserver 上导出了 Kerberized NFSv4 共享;我的/etc/exports如下:
/export *(rw,sync,fsid=0,no_subtree_check,sec=krb5p)
/export/home *(rw,sync,no_subtree_check,no_root_squash,sec=krb5p)
我可以从 nfsclient 看到这些导出:
[root@nfsclient ~]# showmount -e nfsserver
Export list for nfsserver:
/export/home *
/export *
如果我删除 /etc/exports 中的 sec=krb5p 选项,我可以使用 nfsclient 挂载共享
[root@nfsclient ~]# mount -t nfs4 nfsserver:/ /mnt/nfs
然而,当 NFS 采用 Kerberized 时,事情就不那么顺利了:
[root@nfsclient ~]# mount -t nfs4 -o sec=krb5p nfsserver:/ /mnt/nfs
mount.nfs4: access denied by server while mounting nfsserver:/
这伴随着 /var/log/messages 中一系列重复的错误消息:
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
服务器上的日志中没有显示任何内容。在客户端上运行 klist 显示 root 在 /tmp/krb5cc_0 处有凭据缓存,因此我认为 gss-proxy 存在问题。
/etc/gssproxy/gssproxy.conf:
[gssproxy]
[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/gssproxy/http.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = 48
[service/nfs-server]
mechs = krb5
socket = /run/gssproxy.sock
cred_store = keytab:/etc/krb5.keytab
trusted = yes
kernel_nfsd = yes
euid = 0
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
因此 gss-proxy 必须在 /var/lib/gssproxy/clients 中查找凭据缓存。它还从 /etc/krb5.keytab 获取密钥(其中包含主体 nfs/nfsclient 和 host/nfsclient 的密钥)。但是,nfsclient 上的 /var/lib/gssproxy/clients 似乎始终为空。
我在这里错过了什么吗?我无法弄清楚安装此共享到底出了什么问题。
答案1
定义缓存路径时的默认文件配置存在问题。尝试使用以下客户端配置/etc/gssproxy/gssproxy.conf
:
[service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/tmp/krb5cc_%U
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0
debug = true
答案2
确保您的客户端已加入域。
ipa-client-install --force-join
然后确保您有票
kinit admin
然后仔细检查 krb5.keytab
restorecon -v /etc/krb5.keytab
确保您的客户端位于密钥表中
kinit -k
host/ < client > . < domain > @REALM
然后你应该能够安装sec=krb5p