我需要在现有的AD环境中使用Kerberos身份validation来部署NFSv4,但是,必须在不对KDC进行任何更改的情况下完成此操作。
所以我想,我需要重用主机凭据来validation服务器。 但是,它似乎并没有工作,我只是不明白为什么。
我正在使用CentOS 6.我们一直在使用Kerberos + LDAP和许多其他服务(通过PAM,OpenAFS,SSH)。
为了简单起见,同一台机器现在扮演客户端和服务器的angular色。
所以我的configuration如下所示:
的/ etc / SYSCONFIG / NFS:
SECURE_NFS="yes" RPCGSSDARGS="-vvvvvvv" RPCSVCGSSDARGS="-n -vvvvv -rrrrr -iiiiii" 这里的重要部分是传递给rpc.svcgssd的“-n”选项(从手册页:“使用系统默认凭证(主机/ FQDN @ REALM)而不是默认的nfs / FQDN @ REALM”)。
在/etc/idmapd.conf中我得到:
[General] Verbosity = 3 Domain = mycompany.com [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = nsswitch
在/etc/krb5.conf中我得到:
[libdefaults] default_realm = MYCOMPANY.COM ticket_lifetime = 25h renew_lifetime = 120h forwardable = true proxiable = true default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc allow_weak_crypto = true chpw_prompt = true [realms] MYCOMPANY.COM = { default_domain = mycompany.com kpasswd_server = dc.mycompany.com admin_server = dc.mycompany.com kdc = dc.mycompany.com v4_name_convert = { host = { rcmd = host } } } [domain_realm] .mycompany.com = MYCOMPANY.COM [appdefaults] pkinit_pool = DIR:/etc/pki/tls/certs/ pkinit_anchors = DIR:/etc/pki/tls/certs/ pam = { external = true krb4_convert = false krb4_convert_524 = false krb4_use_as_req = false ticket_lifetime = 25h use_shmem = sshd }
在/ etc / exports中:
/exports *(rw,async,no_root_squash,insecure,no_subtree_check,fsid=0,sec=krb5) /exports/data *(rw,async,no_root_squash,insecure,no_subtree_check,nohide,sec=krb5)
所以现在如果我尝试通过运行来挂载这个NFS共享
mount -vvvv -t nfs4 -o rw,sec=krb5 nfs-srv-1:/ /mnt
作为根,我得到了:
mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: spec: "nfs-srv-1:/" mount: node: "/mnt" mount: types: "nfs4" mount: opts: "rw,sec=krb5" final mount options: 'sec=krb5' mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "nfs-srv-1:/" mount: external mount: argv[2] = "/mnt" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5" mount.nfs4: timeout set for Thu Sep 3 15:19:19 2015 mount.nfs4: trying text-based options 'sec=krb5,addr=xxx.xxx.xx.xxx,clientaddr=xxx.xxx.xx.xxx' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting nfs-srv-1:/
并在日志中:
Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b) Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8b) Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: process_krb5_upcall: service is '<null>' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524 Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524 Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0) Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049 Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected] Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Full hostname for 'nfs-srv-1.mycompany.com' is 'nfs-srv-1.mycompany.com' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for [email protected] while getting keytab entry for '[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: Success getting keytab entry for 'host/[email protected]' Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524 Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MYCOMPANY.COM' are good until 1441374524 Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using FILE:/tmp/krb5cc_machine_MYCOMPANY.COM as credentials cache for machine creds Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context using fsuid 0 (save_uid 0) Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating tcp client for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: DEBUG: port already set to 2049 Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: creating context with server [email protected] Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MYCOMPANY.COM for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: WARNING: Failed to create machine krb5 context with any credentials cache for server nfs-srv-1.mycompany.com Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: doing error downcall Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8c Sep 3 15:17:58 nfs-srv-1 rpc.gssd[3437]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8b
票据caching的内容(稍后执行,请忽略时间戳…):
Ticket cache: FILE:/tmp/krb5cc_machine_MYCOMPANY.COM Default principal: host/[email protected] Valid starting Expires Service principal 09/04/15 10:34:34 09/05/15 11:34:34 krbtgt/[email protected] renew until 09/09/15 10:34:34
它似乎find我的主机凭据,但无法初始化Kerberos 5上下文。 我不知道该怎么做,你能帮我吗?
让我知道你是否需要更多的细节。
非常感谢。