我的客户端/服务器都运行Ubuntu 14.04,Kerberos用户身份validation按预期运行。 普通的nfs4坐骑也能正常工作。 所有机器都运行heimdal库。
我一直没有能够得到kerberized nfs4工作。
安装共享时,我在日志中获得以下条目:
Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: leaving poll Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: WARNING: gss_accept_sec_context failed Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: sending null reply Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: writing message: \x \x 1403429173 851968 2529639056 \x \x Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: finished handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: entering poll Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: leaving poll Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: WARNING: gss_accept_sec_context failed Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: sending null reply Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: writing message: \x \x 1403429173 851968 2529639056 \x \x Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: finished handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: entering poll /srv XXX.XXX.209.0/24(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv tip*.example.com(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv pclab*.example.com(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home tip*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home pclab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home XXX.XXX.208.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home wslab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs tip*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs pclab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs XXX.XXX.208.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)
127.0.0.1 localhost XXX.XXX.209.52 SERVER.example.com SERVER # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
[General] Verbosity = 5 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname Domain = example.com Local-Realms = REALM [Mapping] Nobody-User = nobody Nobody-Group = nogroup
mount -t nfs4 -o sec=krb5 SERVER:/ /mnt/temp/ -vvvv mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: spec: "SERVER:/" mount: node: "/mnt/temp/" mount: types: "nfs4" mount: opts: "sec=krb5" mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "SERVER:/" mount: external mount: argv[2] = "/mnt/temp/" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5" mount.nfs4: timeout set for Sun Jun 22 11:24:33 2014 mount.nfs4: trying text-based options 'sec=krb5,addr=XXX.XXX.XXX.52,clientaddr=XXX.XXX.XXX.42' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting SERVER:/
Jun 22 11:25:13 CLIENT rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jun 22 11:25:13 CLIENT rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: process_krb5_upcall: service is '<null>' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'SERVER.example.com' is 'SERVER.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'CLIENT.example.com' is 'CLIENT.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for root/CLIENT.example.com@REALM while getting keytab entry for 'root/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Success getting keytab entry for 'nfs/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using FILE:/tmp/krb5ccmachine_REALM as credentials cache for machine creds Jun 22 11:25:13 CLIENT rpc.gssd[708]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_REALM Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context using fsuid 0 (save_uid 0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating tcp client for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: DEBUG: port already set to 2049 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context with server [email protected] Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create krb5 context for user with uid 0 for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_REALM for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'SERVER.example.com' is 'SERVER.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'CLIENT.example.com' is 'CLIENT.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for root/CLIENT.example.com@REALM while getting keytab entry for 'root/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Success getting keytab entry for 'nfs/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using FILE:/tmp/krb5ccmachine_REALM as credentials cache for machine creds Jun 22 11:25:13 CLIENT rpc.gssd[708]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_REALM Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context using fsuid 0 (save_uid 0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating tcp client for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: DEBUG: port already set to 2049 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context with server [email protected] Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create krb5 context for user with uid 0 for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_REALM for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with any credentials cache for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: doing error downcall Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfs/clnte Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clntd Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt7 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt6 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt5
% ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 1 aes256-cts-hmac-sha1-96 host/CLIENT.example.com@REALM 1 des3-cbc-sha1 host/CLIENT.example.com@REALM 1 arcfour-hmac-md5 host/CLIENT.example.com@REALM 1 aes256-cts-hmac-sha1-96 nfs/CLIENT.example.com@REALM 1 des3-cbc-sha1 nfs/CLIENT.example.com@REALM 1 arcfour-hmac-md5 nfs/CLIENT.example.com@REALM
% klist -c /tmp/krb5ccmachine_REALM Credentials cache: FILE:/tmp/krb5ccmachine_REALM Principal: nfs/CLIENT.example.com@REALM Issued Expires Principal Jun 22 13:55:01 2014 Jun 23 13:55:01 2014 krbtgt/REALM@REALM Jun 22 13:55:01 2014 Jun 23 13:55:01 2014 nfs/SERVER.example.com@REALM
127.0.0.1 localhost XXX.XXX.209.17 CLIENT.example.com CLIENT
% host XXX.XXX.209.17 17.209.XXX.XXX.in-addr.arpa domain name pointer CLIENT.example.com. % host XXX.XXX.209.52 52.209.XXX.XXX.in-addr.arpa domain name pointer SERVER.example.com.
root@SERVER:~# getent hosts CLIENT.example.com XXX.XXX.209.17 CLIENT.example.com root@SERVER:~# getent hosts SERVER.example.com XXX.XXX.209.52 SERVER.example.com SERVER
CLIENT 00:03:32 # getent hosts SERVER.example.com XXX.XXX.209.52 SERVER.example.com CLIENT 00:03:41 # getent hosts CLIENT.example.com XXX.XXX.209.17 CLIENT.example.com CLIENT
我几个星期来一直在debugging这个问题,但到目前为止还没有find解决scheme。
我find了解决办法:
看一看rpc.svcgssd守护进程的一个档案,我看到在错误的方式之前打开的最后一个文件是/etc/krb5.keytab 。
服务器上的密钥表是使用kadmin和kinit“kadmin / admin”生成的。
SERVER上的kinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM导致无效的密码错误。 所以我删除了keytab,并使用kadmin -l生成了一个新的。 我的kadmin/admin用户的keytab可能会出现问题,导致密钥表损坏。 我还没有调查过这个问题。
创build新的密钥表后,nfs4 + krb5挂载成功。
感谢你的回答,他们帮助我们缩小了问题的范围。
所以对于遇到类似问题的人:
尝试使用kinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM在每个受pipe主机上的服务票证kinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM
执行strace -p $(pidof rpc.svcgssd) -s4096 -e trace=open,close,read,write并检查错误发生之前发生了什么。
从我读过的所有内容来看,如果机器的主机名映射到127.0.0.1 ,则通常会出现“错误的主体”错误。
您正在使用export exports(5)页中标记为DEPRECATED的语法:
RPCSEC_GSS security You may use the special strings "gss/krb5", "gss/krb5i", or "gss/krb5p" to restrict access to clients using rpcsec_gss security. However, this syntax is deprecated; on linux kernels since 2.6.23, you should instead use the "sec=" export option: sec= The sec= option, followed by a colon-delimited list of security flavors, restricts the export to clients using those flavors. Available security flavors include sys (the default--no cryptographic secu‐ rity), krb5 (authentication only), krb5i (integrity protection), and krb5p (privacy protection). For the purposes of security flavor negotiation, order counts: preferred flavors should be listed first. The order of the sec= option with respect to the other options does not matter, unless you want some options to be enforced differently depending on flavor. In that case you may include multiple sec= options, and following options will be enforced only for access using flavors listed in the immediately preceding sec= option. The only options that are permitted to vary in this way are ro, rw, no_root_squash, root_squash, and all_squash.
所以你的出口应该是:
/srv XXX.XXX.209.0/24(fsid=0,rw,no_subtree_check,root_squash,async,sec=krb5) /srv/home XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=krb5)
fsid=0和导出的资源都具有正确的安全configuration非常重要。 为您的设置select适当的krb5/krb5i/krb5p 。
错误的名称parsing可能会导致错误“错误的请求主体”。 如果您使用的是本地parsing,请检查您的/etc/hosts文件。
处理这种问题的人通常会这样做:
[email protected] ,并相应地添加到keytab中(所有的大写字母都以$结尾) host/your-machine.your.domain.name和nfs/your-machine.your.domain.name ,并相应地将此主体添加到keytab。 /etc/hosts不能有大写的名字,而且FQDN应该比短名称优先。