NFSv4和kerberos: 50%的访问被拒绝

Question

我们正试图通过kerberos在RHEL 8客户端上挂载NFSv4股份。我们在另一个环境上有一个非常相似的设置，它运行得很好。但是，在这个设置中，我们尝试挂载一个共享的时间大约有50%得到了access denied：

# failed attempt

bash-4.4$ sudo mount -t nfs -o sec=krb5 server.com:/homes/francis test -vvvv
mount.nfs: timeout set for Sat Apr  2 16:28:32 2022
mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=192.168.1.89,clientaddr=192.168.2.29'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=192.168.1.89,clientaddr=192.168.2.29'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.1.89,clientaddr=192.168.2.29'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.1.88,clientaddr=192.168.2.29'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,addr=192.168.1.89'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 192.168.1.89 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 192.168.1.89 prog 100005 vers 3 prot UDP port 32767
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,addr=192.168.1.88'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 192.168.1.88 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 192.168.1.88 prog 100005 vers 3 prot UDP port 32767
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting hypatia.uio.no:/uioit-usit-drift-homes/francis

# working attempt two seconds later
bash-4.4$ sudo mount -t nfs -o sec=krb5 server.com:/homes/francis test -vvvv
mount.nfs: timeout set for Sat Apr  2 16:30:09 2022
mount.nfs: trying text-based options 'sec=krb5,vers=4.2,addr=192.168.1.88,clientaddr=192.168.2.29'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'sec=krb5,vers=4,minorversion=1,addr=192.168.1.88,clientaddr=192.168.2.29'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.1.88,clientaddr=192.168.2.29'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4,addr=192.168.1.89,clientaddr=192.168.2.29'

我已经检查了客户端上的日志，但是没有太多的日志指出了挂载失败的原因。它只工作一次，两秒钟后就不能工作了。反之亦然。

我起初认为这可能是一个跨挂载的问题，但我也尝试了共享的上层目录，这也是同样的问题。

有什么提示可以说明什么是问题吗？

Answer 1

在我的例子中，问题在于为服务器配置了两个PTR。即使使用rdns=false也没有帮助。当将未解析的PTR移回与服务器主体匹配的主机名时，情况要好得多。

谢谢你的小费。