NFS kerberos不工作

Question

我试图使用kerberos对另一台服务器进行身份验证，并得到以下响应：

[root@ip-10-1-5-59 nfs-test-1]#  mount -t nfs4 -o sec=krb5  kbserver.example.com:/ /home/ec2-user/nfs-test-1 --verbose
mount.nfs4: timeout set for Thu Aug 23 00:59:58 2018
mount.nfs4: trying text-based options 'sec=krb5,vers=4.1,addr=10.1.5.21,clientaddr=10.1.5.59'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.1.5.21,clientaddr=10.1.5.59'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting kbserver.example.com:/

如果我跟踪/var/log/messages，我会看到以下日志，但不确定这是否相关。

[ec2-user@ip-10-1-5-21 anypoint-nfs-share]$ sudo tail -f /var/log/messages | grep warn
Aug 23 00:59:28 localhost kernel: NFSD: warning: no callback path to client Linux NFSv4.1 ip-10-1-5-59.us-east-2.compute.internal: error -22

在我的客户机中，klist -ke输出以下内容：

[root@ip-10-1-5-59 nfs-test-1]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 host/kbclient.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   8 host/kbclient.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   8 host/kbclient.example.com@EXAMPLE.COM (des3-cbc-sha1)
   8 host/kbclient.example.com@EXAMPLE.COM (arcfour-hmac)
   8 host/kbclient.example.com@EXAMPLE.COM (camellia256-cts-cmac)
   8 host/kbclient.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   8 host/kbclient.example.com@EXAMPLE.COM (des-hmac-sha1)
   8 host/kbclient.example.com@EXAMPLE.COM (des-cbc-md5)
   7 nfs/kbclient.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   7 nfs/kbclient.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   7 nfs/kbclient.example.com@EXAMPLE.COM (des3-cbc-sha1)
   7 nfs/kbclient.example.com@EXAMPLE.COM (arcfour-hmac)
   7 nfs/kbclient.example.com@EXAMPLE.COM (camellia256-cts-cmac)
   7 nfs/kbclient.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   7 nfs/kbclient.example.com@EXAMPLE.COM (des-hmac-sha1)
   7 nfs/kbclient.example.com@EXAMPLE.COM (des-cbc-md5)
   8 host/kbserver.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   8 host/kbserver.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   8 host/kbserver.example.com@EXAMPLE.COM (des3-cbc-sha1)
   8 host/kbserver.example.com@EXAMPLE.COM (arcfour-hmac)
   8 host/kbserver.example.com@EXAMPLE.COM (camellia256-cts-cmac)
   8 host/kbserver.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   8 host/kbserver.example.com@EXAMPLE.COM (des-hmac-sha1)
   8 host/kbserver.example.com@EXAMPLE.COM (des-cbc-md5)
   8 nfs/kbserver.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   8 nfs/kbserver.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   8 nfs/kbserver.example.com@EXAMPLE.COM (des3-cbc-sha1)
   8 nfs/kbserver.example.com@EXAMPLE.COM (arcfour-hmac)
   8 nfs/kbserver.example.com@EXAMPLE.COM (camellia256-cts-cmac)
   8 nfs/kbserver.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   8 nfs/kbserver.example.com@EXAMPLE.COM (des-hmac-sha1)
   8 nfs/kbserver.example.com@EXAMPLE.COM (des-cbc-md5)
   8 nfs/kbclient.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   8 nfs/kbclient.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   8 nfs/kbclient.example.com@EXAMPLE.COM (des3-cbc-sha1)
   8 nfs/kbclient.example.com@EXAMPLE.COM (arcfour-hmac)
   8 nfs/kbclient.example.com@EXAMPLE.COM (camellia256-cts-cmac)
   8 nfs/kbclient.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   8 nfs/kbclient.example.com@EXAMPLE.COM (des-hmac-sha1)
   8 nfs/kbclient.example.com@EXAMPLE.COM (des-cbc-md5)

在我的服务器中启用了以下nfs/rpc服务：

[ec2-user@ip-10-1-5-21 ~]$ systemctl list-unit-files | grep enabled | grep -E "(nfs|rpc)"
nfs-server.service                            enabled
nfs.service                                   enabled
rpcbind.service                               enabled
rpcbind.socket                                enabled
nfs-client.target                             enabled

并且在我的客户机中启用了以下nfs/rpc服务：

[ec2-user@ip-10-1-5-59 nfs-test-1]$ systemctl list-unit-files | grep enabled | grep -E "(nfs|rpc)"
rpcbind.service                               enabled
rpcbind.socket                                enabled
nfs-client.target                             enabled

刚刚注意到，下面抛出了一个错误：

[root@ip-10-1-5-59 nfs-test-1]# sudo systemctl status nfs-secure.service
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Thu 2018-08-23 00:35:16 UTC; 31min ago
 Main PID: 32200 (rpc.gssd)
   CGroup: /system.slice/rpc-gssd.service
           └─32200 /usr/sbin/rpc.gssd -vvv

Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: No key table entry found for host/ip-10-1-5-59.us-east-2.compute.internal@EXAMPLE.COM while gett...PLE.COM'
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: Success getting keytab entry for nfs/*@EXAMPLE.COM
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: creating tcp client for server kbserver.example.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: creating context with server nfs@kbserver.example.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@kbserver.example.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.CO...mple.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: WARNING: Failed to create machinekrb5 context with any credentialscache for server kbserver.example.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: doing error downcall

以下日志显示在The上：

Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Success getting keytab entry for nfs/*@EXAMPLE.COM
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating tcp client for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating context with server nfs@kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.COM for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Machine cache prematurelyexpired or corrupted trying torecreate cache for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Full hostname for 'kbserver.example.com' is 'kbserver.example.com'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Full hostname for 'kbclient.example' is 'kbclient.example'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for kbclient$@EXAMPLE.COM while getting keytab entry for 'kbclient$@EXAMPLE.COM'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for KBCLIENT$@EXAMPLE.COM while getting keytab entry for 'KBCLIENT$@EXAMPLE.COM'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for root/kbclient.example@EXAMPLE.COM while getting keytab entry for 'root/kbclient.example@EXAMPLE.COM'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for nfs/kbclient.example@EXAMPLE.COM while getting keytab entry for 'nfs/kbclient.example@EXAMPLE.COM'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for host/kbclient.example@EXAMPLE.COM while getting keytab entry for 'host/kbclient.example@EXAMPLE.COM'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Success getting keytab entry for nfs/*@EXAMPLE.COM
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating tcp client for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating context with server nfs@kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.COM for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create machinekrb5 context with any credentialscache for server kbserver.example.com

Answer 1

问题是我需要一个带有主机的keytab文件。我无法让它使用kadmin.local来使用ktadd来添加它，所以我手动复制了它。

在客户端：

echo $BASE_64_ENCODED_FILE_FROM_SERVER | base64 -d > /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab
mkdir -p /home/root/nfs-test/2
sudo mount -t nfs4 -o sec=krb5 kbserver.example.com:/ /home/root/nfs-test/2 --verbose
mount.nfs4: timeout set for Fri Aug 24 01:02:58 2018
mount.nfs4: trying text-based options 'sec=krb5,vers=4.1,addr=10.1.5.21,clientaddr=10.1.5.59'

Answer 2

很难说。以防万一，你们检查过你们的/etc/出口了吗？它至少应该有"sec=krb5"，例如：

/  10.1.5.0/24(rw,sec=krb5:krb5i:krb5p)