在CentOS 6.4上挂载Kerberosvalidation的NFS共享时出现的问题

我试图在CentOS 6.4机器上安装Kerberosauthentication的NFS共享。 我试图从另一个CentOS 6.4机器和我们的NetApp导出受保护的共享，结果相同。

CentOS机器和NetApp都join到我们的Active Directory（2012）域。 我可以使用AD凭证SSH进入CentOS机器。 诸如kinit，msktuil等工具的工作。 我已经使用mskutil来生成客户端的keytab文件。 AD中的计算机帐户具有计算机，根，nfs等的主要logging。时钟全部同步到域控制器。

我在下面的rpc.gssd输出中看到它没有find一个键，但是它继续find根键。 下一行似乎表明它没有find它在前面的行中find的键？

蜂房的头脑可以帮我在这里find我吗？ 我觉得我已经接近有事情了

• 如何使用广告证书颁发机构颁发networking托pipe证书
• 将AD域pipe理员组包含在Linux sudoers中？
• 如何删除孤立的域控制器的DNSlogging？
• 将服务器join域后强制进行活动目录复制？
• parsingSYSVOL的副本

客户端上的/etc/krb5.keytab文件的相关位如下所示：

5 12/02/13 16:14:14 [email protected] 5 12/02/13 16:14:14 root/[email protected] 5 12/02/13 16:14:14 root/[email protected] 5 12/02/13 16:14:15 root/[email protected] 5 12/02/13 16:14:15 NFS/[email protected] 5 12/02/13 16:14:15 NFS/[email protected] 5 12/02/13 16:14:15 NFS/[email protected] 5 12/02/13 16:14:15 NFS/[email protected] 5 12/02/13 16:14:15 NFS/[email protected] 5 12/02/13 16:14:15 NFS/[email protected] 5 12/02/13 16:14:15 HOST/[email protected] 5 12/02/13 16:14:15 HOST/[email protected] 5 12/02/13 16:14:15 HOST/[email protected] 5 12/02/13 16:14:15 HOST/[email protected] 5 12/02/13 16:14:15 HOST/[email protected] 5 12/02/13 16:14:15 HOST/[email protected] 

NFS服务器上的导出如下所示：

 /foo gss/krb5(ro,fsid=0,sync,insecure,no_root_squash,no_subtree_check,squash_uids=0-99) /foo/bar gss/krb5(rw,insecure,no_subtree_check,nohide,sync,no_root_squash,squash_uids=0-99) 

当我尝试在客户端上安装导出时，我从mount命令中看到了这一点：

 [root@srred1kt01 ~]# mount -t nfs4 -o sec=krb5 srred1nfs01:/foo /backups -vvv mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: spec: "srred1nfs01:/foo" mount: node: "/backups" mount: types: "nfs4" mount: opts: "sec=krb5" final mount options: 'sec=krb5' mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "srred1nfs01:/foo" mount: external mount: argv[2] = "/backups" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5" mount.nfs4: timeout set for Mon Dec 2 16:26:44 2013 mount.nfs4: trying text-based options 'sec=krb5,addr=10.10.10.63,clientaddr=10.10.10.62' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting srred1nfs01:/foo 

客户端上的“rpc.gssd -fvvv”的输出如下所示：

 dir_notify_handler: sig 37 si 0x7fffaa8850b0 data 0x7fffaa884f80 dir_notify_handler: sig 37 si 0x7fffaa8850b0 data 0x7fffaa884f80 dir_notify_handler: sig 37 si 0x7fffaa8850b0 data 0x7fffaa884f80 handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt14) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt14) process_krb5_upcall: service is '<null>' Full hostname for 'srred1nfs01.work.local' is 'srred1nfs01.work.local' Full hostname for 'srred1kt01.work.local' is 'srred1kt01.work.local' No key table entry found for [email protected] while getting keytab entry for '[email protected] ' Success getting keytab entry for 'root/[email protected]' WARNING: Client not found in Kerberos database while getting initial ticket for principal 'root/[email protected]' using keytab 'FILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server srred1nfs01.work.local doing error downcall dir_notify_handler: sig 37 si 0x7fffaa884b70 data 0x7fffaa884a40 dir_notify_handler: sig 37 si 0x7fffaa884b70 data 0x7fffaa884a40 dir_notify_handler: sig 37 si 0x7fffaa884b70 data 0x7fffaa884a40 dir_notify_handler: sig 37 si 0x7fffaa884b70 data 0x7fffaa884a40 dir_notify_handler: sig 37 si 0x7fffaa884b70 data 0x7fffaa884a40 dir_notify_handler: sig 37 si 0x7fffaa884b70 data 0x7fffaa884a40 destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14