Kerberized nfs4挂载错误：找不到与服务器连接的凭据

我的客户端/服务器都运行ubuntu 14.04，kerberos用户身份validation按预期工作。 普通的nfs4坐骑也能正常工作。 所有机器都运行heimdal库。

我一直没有能够得到kerberized nfs4工作。

安装共享时，我得到以下日志：

客户：

# mount -t nfs4 -o sec=krb5 server:/ /mnt/tmp -vvvvvv mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: spec: "SERVER:/" mount: node: "/mnt/tmp" mount: types: "nfs4" mount: opts: "sec=krb5" mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "SERVER:/" mount: external mount: argv[2] = "/mnt/tmp" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5" mount.nfs4: timeout set for Sun Jun 15 01:10:30 2014 mount.nfs4: trying text-based options 'sec=krb5,addr=XXX.XXX.XXX.52,clientaddr=XXX.XXX.XXX.17' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting SERVER:/ 

rpc.gssd：

 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt4 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt3 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt2 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt0 Jun 15 01:31:15 client rpc.gssd[24146]: handling gssd upcall (/run/rpc_pipefs/nfs/clntf) Jun 15 01:31:15 client rpc.gssd[24146]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jun 15 01:31:15 client rpc.gssd[24146]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntf) Jun 15 01:31:15 client rpc.gssd[24146]: process_krb5_upcall: service is '<null>' Jun 15 01:31:15 client rpc.gssd[24146]: Full hostname for 'server.example.com' is 'server.example.com' Jun 15 01:31:15 client rpc.gssd[24146]: Full hostname for 'client.example.com' is 'CLIENT.example.com' Jun 15 01:31:15 client rpc.gssd[24146]: No key table entry found for [email protected] while getting keytab entry for 'DEVEL01$@' Jun 15 01:31:15 client rpc.gssd[24146]: No key table entry found for root/[email protected] while getting keytab entry for 'root/CLIENT.example.com@' Jun 15 01:31:15 client rpc.gssd[24146]: Success getting keytab entry for 'nfs/client.example.com@' Jun 15 01:31:15 client rpc.gssd[24146]: WARNING: Cryptosystem internal error while getting initial ticket for principal 'nfs/[email protected]' using keytab 'FILE:/etc/krb5.keytab' Jun 15 01:31:15 client rpc.gssd[24146]: ERROR: No credentials found for connection to server server.example.com Jun 15 01:31:15 client rpc.gssd[24146]: doing error downcall Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfs/clnt55 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt4 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt3 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt2 Jun 15 01:31:15 client rpc.gssd[24146]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt0 

客户端密钥表：

 Vno Type Principal Aliases 1 aes256-cts-hmac-sha1-96 nfs/[email protected] 1 des3-cbc-sha1 nfs/[email protected] 1 arcfour-hmac-md5 nfs/[email protected] 

服务器：

KDC：

 Jun 15 01:44:34 server kdc[13705]: AS-REQ nfs/[email protected] from IPv4:XXX.XXX.XXX.17 for krbtgt/[email protected] Jun 15 01:44:34 server kdc[13705]: Client sent patypes: REQ-ENC-PA-REP Jun 15 01:44:34 server kdc[13705]: Looking for PK-INIT(ietf) pa-data -- nfs/[email protected] Jun 15 01:44:34 server kdc[13705]: Looking for PK-INIT(win2k) pa-data -- nfs/[email protected] Jun 15 01:44:34 server kdc[13705]: Looking for ENC-TS pa-data -- nfs/[email protected] Jun 15 01:44:34 server kdc[13705]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Jun 15 01:44:34 server kdc[13705]: sending 292 bytes to IPv4:XXX.XXX.XXX.17 

任何指针什么是错的？

• 通过AD进行Ldap + Kerberosauthentication
• 在初始阶段，客户端在Kerberos数据库中找不到
• 开放目录中密码的数据如何变化？
• 自动Kerberos票证续订（无限期）
• 如果我只使用Kerberos进行身份validation，Active Directory使用的是LDAP吗？