**编辑:**我不再使用Sabayon Linux,并且在其他发行版本上没有发生此问题。 我build议closures这个问题。
更新:我意识到由于主机文件不好,两台机器都将其本地名称parsing为127.0.0.1,而不是其局域网IP地址。 一旦我改变它并尝试挂载,客户端显示:
mount.nfs4: timeout set for Sun Mar 31 10:33:38 2013 mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.10.200,clientaddr=192.168.10.103' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting shakuras.darwinia.lan:/ 查看客户端的系统日志:
rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80 rpc.idmapd[13036]: New client: 1a rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa321f0 data 0x7fffcfa320c0 rpc.gssd[13067]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1a) rpc.gssd[13067]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' rpc.gssd[13067]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt1a) rpc.gssd[13067]: process_krb5_upcall: service is '*' rpc.idmapd[13036]: Opened /var/lib/nfs/rpc_pipefs//nfs/clnt1a/idmap rpc.gssd[13067]: Full hostname for 'server.domain' is 'server.domain' rpc.gssd[13067]: Full hostname for 'client.domain' is 'client.domain' rpc.gssd[13067]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@REALM' rpc.gssd[13067]: No key table entry found for root/client.domain@REALM while getting keytab entry for 'root/client.domain@REALM' rpc.gssd[13067]: Success getting keytab entry for 'nfs/client.domain@REALM' rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098 rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098 rpc.gssd[13067]: using FILE:/tmp/krb5cc_machine_REALM as credentials cache for machine creds rpc.gssd[13067]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_REALM rpc.gssd[13067]: creating context using fsuid 0 (save_uid 0) rpc.gssd[13067]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available rpc.gssd[13067]: WARNING: Failed while limiting krb5 encryption types for user with uid 0 rpc.gssd[13067]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_REALM for server server.domain rpc.gssd[13067]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server server.domain rpc.gssd[13067]: Full hostname for 'server.domain' is 'server.domain' rpc.gssd[13067]: Full hostname for 'client.domain' is 'client.domain' rpc.gssd[13067]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@REALM' rpc.gssd[13067]: No key table entry found for root/client.domain@REALM while getting keytab entry for 'root/client.domain@REALM' rpc.gssd[13067]: Success getting keytab entry for 'nfs/client.domain@REALM' rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098 rpc.gssd[13067]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364748098 rpc.gssd[13067]: using FILE:/tmp/krb5cc_machine_REALM as credentials cache for machine creds rpc.gssd[13067]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_REALM rpc.gssd[13067]: creating context using fsuid 0 (save_uid 0) rpc.gssd[13067]: ERROR: GSS-API: error in gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No Kerberos credentials available rpc.gssd[13067]: WARNING: Failed while limiting krb5 encryption types for user with uid 0 rpc.gssd[13067]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_REALM for server server.domain rpc.gssd[13067]: WARNING: Failed to create machine krb5 context with any credentials cache for server server.domain rpc.gssd[13067]: doing error downcall rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80 rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80 rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80 rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80 rpc.gssd[13067]: dir_notify_handler: sig 37 si 0x7fffcfa36cb0 data 0x7fffcfa36b80 rpc.gssd[13067]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt1a rpc.idmapd[13036]: Stale client: 1a rpc.idmapd[13036]: -> closed /var/lib/nfs/rpc_pipefs//nfs/clnt1a/idmap
服务器的系统日志只显示:
krb5kdc[31142]: AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.10.103: NEEDED_PREAUTH: nfs/client.domain@REALM for krbtgt/REALM@REALM, Additional pre-authentication required
客户端ktutil:
ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 nfs/client.domain@REALM
服务器ktutil:
ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 nfs/server.domain@REALM
上一篇:
我正在尝试使用Kerberos设置安全的NFS4服务器。 我的networking有一个本地DNS服务器。 客户端和服务器都可以(反向)查找对方。 起初,我遵循这个教程:
http://wiki.paraf.in/~parafin/linux/nfs4krb5
因为我使用的是基于gentoo的Sabayon Linux。 然后我意识到NFS导出文件的语法可能不正确。 目前,NFS的输出是这样设置的:
/export gss/krb5p(rw,insecure,async,no_root_squash,no_subtree_check)
客户端可以挂载远程文件系统。 但是,试图将其更改为Kerberos:
/export gss/krb5(rw,insecure,async,no_root_squash,no_subtree_check)
客户端无法再挂载文件系统。 mount命令:
mount -o sec=krb5 -t nfs4 server.domain:/export /mnt/nfs/ -vvv
似乎永远挂起。 几分钟后,我可以看到客户的dmesg:
NFS:服务器server.domain没有响应,超时
尽pipe如此,这个命令还是悬而未决。 一些额外的事实:
试图增加双方的详细程度,当我连接我可以看到:服务器:
rpc.svcgssd[23856]: sname = nfs/client.domain@REALM rpc.svcgssd[23856]: DEBUG: serialize_krb5_ctx: lucid version! rpc.svcgssd[23856]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.svcgssd[23856]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.svcgssd[23856]: doing downcall rpc.svcgssd[23856]: mech: krb5, hndl len: 4, ctx len 52, timeout: 1364700223 (33977 from now), clnt: [email protected], uid: -1, gid: -1, num aux grps: 0: rpc.svcgssd[23856]: sending null reply rpc.svcgssd[23856]: writing message: [BINARY MESSAGE] rpc.svcgssd[23856]: finished handling null request rpc.svcgssd[23856]: entering poll
客户:
rpc.gssd[20295]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt64) rpc.gssd[20295]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 ' rpc.gssd[20295]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt64) rpc.gssd[20295]: process_krb5_upcall: service is '*' rpc.gssd[20295]: Full hostname for 'server.domain' is 'server.domain' rpc.gssd[20295]: Full hostname for 'localhost' is 'localhost' rpc.gssd[20295]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@REALM' rpc.gssd[20295]: No key table entry found for root/localhost@REALM while getting keytab entry for 'root/localhost@REALM' rpc.gssd[20295]: No key table entry found for nfs/localhost@REALM while getting keytab entry for 'nfs/localhost@REALM' rpc.gssd[20295]: No key table entry found for host/localhost@REALM while getting keytab entry for 'host/localhost@REALM' rpc.gssd[20295]: Success getting keytab entry for nfs/*@REALM rpc.gssd[20295]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364700223 rpc.gssd[20295]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_REALM' are good until 1364700223 rpc.gssd[20295]: using FILE:/tmp/krb5cc_machine_REALM as credentials cache for machine creds rpc.gssd[20295]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_REALM rpc.gssd[20295]: creating context using fsuid 0 (save_uid 0) rpc.gssd[20295]: creating tcp client for server server.domain rpc.gssd[20295]: DEBUG: port already set to 2049 rpc.gssd[20295]: creating context with server [email protected] rpc.gssd[20295]: DEBUG: serialize_krb5_ctx: lucid version! rpc.gssd[20295]: prepare_krb5_rfc4121_buffer: protocol 1 rpc.gssd[20295]: prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 rpc.gssd[20295]: doing downcall
我不知道为什么它会尝试获取CLIENT $ @ REALM的密钥(客户端名称尾部的美元符号来自哪里?)