为什么我在安装Kerberized共享时会出现“无凭据缓存”错误？

Question

我在本地网络上有两个系统，nfsclient (CentOS 7)和nfsserver (CentOS 6)。这些名称正确地解析到它们的IP地址，Kerberos在它们之间工作(nfsserver是KDC)。我在nfsserver上导出了一个KerberizedNFSv4共享；我的/etc/exports如下所示：

/export                 *(rw,sync,fsid=0,no_subtree_check,sec=krb5p)                   
/export/home            *(rw,sync,no_subtree_check,no_root_squash,sec=krb5p)

我可以从nfsclient看到这些出口：

[root@nfsclient ~]# showmount -e nfsserver
Export list for nfsserver:
/export/home *
/export      *

如果删除/etc/exports中的sec=krb5p选项，可以使用

[root@nfsclient ~]# mount -t nfs4 nfsserver:/ /mnt/nfs

然而，当NFS被Kerber化时，事情就不那么顺利了：

[root@nfsclient ~]# mount -t nfs4 -o sec=krb5p nfsserver:/ /mnt/nfs
mount.nfs4: access denied by server while mounting nfsserver:/

这伴随着/var/log/ messages中的一系列重复错误消息：

Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

服务器上的日志中没有显示任何内容。在客户机上运行klist显示root在/tmp/krb5cc_0有一个凭据缓存，因此我认为gss存在问题。

/etc/gssproxy/gssproxy.conf：

[gssproxy]

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

[service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

因此，gssproxy必须在/var/lib/gss/客户端中查找凭据缓存。它还从/etc/krb5.keytab获取密钥(其中包含主体nfs/nfsclient和host/nfsclient的键)。但是，在nfsclient上，/var/lib/gssproxy/客户机似乎始终是空的。

我是不是漏掉了什么？我不知道增加这个份额到底出了什么问题。

Answer 1

在定义缓存的路径时，默认文件配置存在问题。在/etc/gssproxy/gssproxy.conf中，尝试使用客户端的此配置：

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/tmp/krb5cc_%U
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
  debug = true

Answer 2

确保您的客户已经加入到域。

ipa-client-install --force-join

那就确保你有票

kinit admin

然后再次检查krb5.keytab

restorecon -v /etc/krb5.keytab

确保您的客户在keytab中

kinit -k

host/ < client > . < domain > @REALM

然后，您应该能够使用sec=krb5p进行安装。