Kerberos NFS no funciona

tag-icon tag-icon nfs kerberos
Kerberos NFS no funciona

Estoy intentando autenticarme en otro servidor con Kerberos y recibo la siguiente respuesta:

[root@ip-10-1-5-59 nfs-test-1]#  mount -t nfs4 -o sec=krb5  kbserver.example.com:/ /home/ec2-user/nfs-test-1 --verbose
mount.nfs4: timeout set for Thu Aug 23 00:59:58 2018
mount.nfs4: trying text-based options 'sec=krb5,vers=4.1,addr=10.1.5.21,clientaddr=10.1.5.59'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.1.5.21,clientaddr=10.1.5.59'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting kbserver.example.com:/

Si sigo, /var/log/messagesveo el siguiente registro, pero no estoy seguro de si es relevante.

[ec2-user@ip-10-1-5-21 anypoint-nfs-share]$ sudo tail -f /var/log/messages | grep warn
Aug 23 00:59:28 localhost kernel: NFSD: warning: no callback path to client Linux NFSv4.1 ip-10-1-5-59.us-east-2.compute.internal: error -22

En mi cliente, los klist -keresultados son los siguientes:

[root@ip-10-1-5-59 nfs-test-1]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 host/[email protected] (aes256-cts-hmac-sha1-96)
   8 host/[email protected] (aes128-cts-hmac-sha1-96)
   8 host/[email protected] (des3-cbc-sha1)
   8 host/[email protected] (arcfour-hmac)
   8 host/[email protected] (camellia256-cts-cmac)
   8 host/[email protected] (camellia128-cts-cmac)
   8 host/[email protected] (des-hmac-sha1)
   8 host/[email protected] (des-cbc-md5)
   7 nfs/[email protected] (aes256-cts-hmac-sha1-96)
   7 nfs/[email protected] (aes128-cts-hmac-sha1-96)
   7 nfs/[email protected] (des3-cbc-sha1)
   7 nfs/[email protected] (arcfour-hmac)
   7 nfs/[email protected] (camellia256-cts-cmac)
   7 nfs/[email protected] (camellia128-cts-cmac)
   7 nfs/[email protected] (des-hmac-sha1)
   7 nfs/[email protected] (des-cbc-md5)
   8 host/[email protected] (aes256-cts-hmac-sha1-96)
   8 host/[email protected] (aes128-cts-hmac-sha1-96)
   8 host/[email protected] (des3-cbc-sha1)
   8 host/[email protected] (arcfour-hmac)
   8 host/[email protected] (camellia256-cts-cmac)
   8 host/[email protected] (camellia128-cts-cmac)
   8 host/[email protected] (des-hmac-sha1)
   8 host/[email protected] (des-cbc-md5)
   8 nfs/[email protected] (aes256-cts-hmac-sha1-96)
   8 nfs/[email protected] (aes128-cts-hmac-sha1-96)
   8 nfs/[email protected] (des3-cbc-sha1)
   8 nfs/[email protected] (arcfour-hmac)
   8 nfs/[email protected] (camellia256-cts-cmac)
   8 nfs/[email protected] (camellia128-cts-cmac)
   8 nfs/[email protected] (des-hmac-sha1)
   8 nfs/[email protected] (des-cbc-md5)
   8 nfs/[email protected] (aes256-cts-hmac-sha1-96)
   8 nfs/[email protected] (aes128-cts-hmac-sha1-96)
   8 nfs/[email protected] (des3-cbc-sha1)
   8 nfs/[email protected] (arcfour-hmac)
   8 nfs/[email protected] (camellia256-cts-cmac)
   8 nfs/[email protected] (camellia128-cts-cmac)
   8 nfs/[email protected] (des-hmac-sha1)
   8 nfs/[email protected] (des-cbc-md5)

Los siguientes servicios nfs/rpc están habilitados en mi servidor:

[ec2-user@ip-10-1-5-21 ~]$ systemctl list-unit-files | grep enabled | grep -E "(nfs|rpc)"
nfs-server.service                            enabled
nfs.service                                   enabled
rpcbind.service                               enabled
rpcbind.socket                                enabled
nfs-client.target                             enabled

Y los siguientes servicios nfs/rpc están habilitados en mi cliente:

[ec2-user@ip-10-1-5-59 nfs-test-1]$ systemctl list-unit-files | grep enabled | grep -E "(nfs|rpc)"
rpcbind.service                               enabled
rpcbind.socket                                enabled
nfs-client.target                             enabled

Acabo de notar que lo siguiente arroja un error:

[root@ip-10-1-5-59 nfs-test-1]# sudo systemctl status nfs-secure.service
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Thu 2018-08-23 00:35:16 UTC; 31min ago
 Main PID: 32200 (rpc.gssd)
   CGroup: /system.slice/rpc-gssd.service
           └─32200 /usr/sbin/rpc.gssd -vvv

Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: No key table entry found for host/[email protected] while gett...PLE.COM'
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: Success getting keytab entry for nfs/*@EXAMPLE.COM
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: creating tcp client for server kbserver.example.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: creating context with server [email protected]
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.CO...mple.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: WARNING: Failed to create machinekrb5 context with any credentialscache for server kbserver.example.com
Aug 23 00:59:29 ip-10-1-5-59.us-east-2.compute.internal rpc.gssd[32200]: doing error downcall

Los siguientes registros aparecen en jourtanctl:

Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Success getting keytab entry for nfs/*@EXAMPLE.COM
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating tcp client for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating context with server [email protected]
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.COM for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Machine cache prematurelyexpired or corrupted trying torecreate cache for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Full hostname for 'kbserver.example.com' is 'kbserver.example.com'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Full hostname for 'kbclient.example' is 'kbclient.example'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for [email protected] while getting keytab entry for '[email protected]'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for root/[email protected] while getting keytab entry for 'root/[email protected]'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for nfs/[email protected] while getting keytab entry for 'nfs/[email protected]'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: No key table entry found for host/[email protected] while getting keytab entry for 'host/[email protected]'
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: Success getting keytab entry for nfs/*@EXAMPLE.COM
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_EXAMPLE.COM' are good until 1535070934
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating tcp client for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: creating context with server [email protected]
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create krb5 context for user with uid 0 for server [email protected]
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create machine krb5context with cred cache FILE:/tmp/krb5ccmachine_EXAMPLE.COM for server kbserver.example.com
Aug 23 01:09:48 kbclient.example rpc.gssd[32200]: WARNING: Failed to create machinekrb5 context with any credentialscache for server kbserver.example.com

Respuesta1

Difícil de decir. Por si acaso, ¿revisaste tu /etc/exports? Debería tener al menos "sec=krb5", por ejemplo:

/  10.1.5.0/24(rw,sec=krb5:krb5i:krb5p)

Respuesta2

El problema era que necesitaba tener un archivo de tabla de claves con los hosts agregados. No pude usarlo kadmin.localpara ktaddagregarlo, así que lo copié manualmente.

En el cliente:

echo $BASE_64_ENCODED_FILE_FROM_SERVER | base64 -d > /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab
mkdir -p /home/root/nfs-test/2
sudo mount -t nfs4 -o sec=krb5 kbserver.example.com:/ /home/root/nfs-test/2 --verbose
mount.nfs4: timeout set for Fri Aug 24 01:02:58 2018
mount.nfs4: trying text-based options 'sec=krb5,vers=4.1,addr=10.1.5.21,clientaddr=10.1.5.59'

información relacionada