我按照此處所述配置了 NFS&Kerberos:如何在 Red Hat Enterprise Linux 7 上設定 Kerberos NFS 伺服器
所有診斷操作都很好,但是當我嘗試在客戶端安裝我的共用時,我收到以下訊息:
mount.nfs4: access denied by server while mounting kdc.example.com:/var/backup
伺服器和用戶端的 IP 都位於 /etc/hosts(伺服器和用戶端電腦)中,位於 IP 之後的第一個位置。我的配置是:
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
/etc/導出:
/var/backup client.example.com(rw,sync,no_wdelay,nohide,no_subtree_check,no_root_squash,sec=krb5)
/mnt/storage client.example.com(rw,sync,no_wdelay,nohide,no_subtree_check,no_root_squash,sec=krb5)
/var/kerberos/krb5kdc:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
kdc_ports = 88
admin_keytab = /etc/kadm5.keytab
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/kerberos/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
krb5kdc 和 kadmin 服務已在伺服器上啟動並執行。
客戶端上的 /etc/fstab:
#NFS area
kdc.example.com:/var/backup /mnt/backup nfs4 rsize=65536,wsize=65536,nolock,hard,sec=krb5
kdc.example.com:/mnt/storage /mnt/storage nfs4 rsize=65536,wsize=65536,nolock,hard,sec=krb5
當我做:
mount -vv -t nfs4 -o sec=krb5 kdc.example.com:/var/backup backup
我收到訊息:
mount.nfs4: timeout set for Mon May 22 23:32:59 2017
mount.nfs4: trying text-based options 'sec=krb5,addr=95.85.33.75,clientaddr=192.168.0.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting kdc.example.com:/var/backup
第一個評論 - 為什麼 clientaddr 是 192.168.0.2 而不是在 /etc/hosts 中設定的 client.example.com ?無論如何,當我將 clientaddr=client.example.com 新增到 mount 的 -o 選項時,會出現相同的訊息。
第二個訊息位於伺服器的 /var/log/krb5kdc.log 中:
CLIENT_NOT_FOUND: [email protected] for krbtgt/[email protected], Client not found in Kerberos database
伺服器上的 klist -k:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
3 nfs/[email protected]
客戶端上的 klist -k:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/[email protected]
2 host/[email protected]
2 host/[email protected]
2 nfs/[email protected]
2 nfs/[email protected]
2 nfs/[email protected]
kadmin -p 根/管理員:
kadmin: listprincs
K/[email protected]
[email protected]
host/[email protected]
host/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
nfs/[email protected]
nfs/[email protected]
root/[email protected]
那麼,問題是什麼?為什麼我無法掛載 NFS 共享?
答案1
我遇到了同樣的問題。根據這個小教程https://www.certdepot.net/rhel7-use-kerberos-control-access-nfs-network-shares/ 您應該在伺服器端啟用 nfs-secure-server 服務,在客戶端啟用 nfs-secure 服務。這應該可以解決問題。
答案2
我昨天遇到了同樣的問題,這似乎是由於 KDC 上缺少主體並且 rpc-gssd.service 在客戶端上停止而發生的。
在 KDC 伺服器上,應啟動 tail -f /var/log/krb5kdc.log,並在嘗試從客戶端掛載 NFS 共用時在日誌中顯示缺少主體(如果有)。
[vagrant@desktop1 ~]$ sudo mount -o sec=krb5 server1:/knfs /knfs -v
mount.nfs: timeout set for Sun Feb 24 09:44:35 2019
mount.nfs: trying text-based options 'sec=krb5,vers=4.1,addr=192.168.121.163,clientaddr=192.168.121.26'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,vers=4.0,addr=192.168.121.163,clientaddr=192.168.121.26'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5,addr=192.168.121.163'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: portmap query failed: RPC: Remote system error - No route to host
^C
[vagrant@desktop1 ~]$
在日誌輸出中已辨識出缺少的主體:
[vagrant@server1 ~]$ sudo tail -f /var/log/krb5kdc.log
Feb 24 09:42:35 server1 krb5kdc[2870](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.121.26: LOOKING_UP_SERVER: authtime 0, nfs/[email protected] for nfs/[email protected], Server not found in Kerberos database
Feb 24 09:42:35 server1 krb5kdc[2870](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.121.26: LOOKING_UP_SERVER: authtime 0, nfs/[email protected] for nfs/[email protected], Server not found in Kerberos database
Feb 24 09:42:35 server1 krb5kdc[2870](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.121.26: LOOKING_UP_SERVER: authtime 0, nfs/[email protected] for nfs/[email protected], Server not found in Kerberos database
Feb 24 09:42:35 server1 krb5kdc[2870](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.121.26: LOOKING_UP_SERVER: authtime 0, nfs/[email protected] for nfs/[email protected], Server not found in Kerberos database
需要在 KDC 上新增缺少的主體,並將客戶端金鑰匯出到客戶端{/etc/krb5.keytab}。
sudo kadmin.local -q "ktadd nfs/kerberos.example.com"
sudo kadmin.local -q "ktadd -k /tmp/krb5.keytab nfs/desktop1.example.com"
客戶端的密鑰表:
[vagrant@desktop1 ~]$ sudo klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/[email protected] (aes256-cts-hmac-sha1-96)
3 nfs/[email protected] (aes128-cts-hmac-sha1-96)
3 nfs/[email protected] (des3-cbc-sha1)
3 nfs/[email protected] (arcfour-hmac)
3 nfs/[email protected] (camellia256-cts-cmac)
3 nfs/[email protected] (camellia128-cts-cmac)
3 nfs/[email protected] (des-hmac-sha1)
3 nfs/[email protected] (des-cbc-md5)
[vagrant@desktop1 ~]$
被拒絕的權限不應再出現,但對於錯誤的參數應出現另一個警告。
[vagrant@desktop1 ~]$ sudo mount -o sec=krb5 server1:/knfs /knfs -v
mount.nfs: timeout set for Sun Feb 24 09:07:32 2019
mount.nfs: trying text-based options 'sec=krb5,vers=4.1,addr=192.168.121.54,clientaddr=192.168.121.195'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,vers=4.0,addr=192.168.121.54,clientaddr=192.168.121.195'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,addr=192.168.121.54'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: portmap query failed: RPC: Remote system error - No route to host
mount.nfs: trying text-based options 'sec=krb5,vers=4.0,addr=192.168.121.54,clientaddr=192.168.121.195'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,addr=192.168.121.54'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: portmap query failed: RPC: Remote system error - No route to host
mount.nfs: trying text-based options 'sec=krb5,vers=4.0,addr=192.168.121.54,clientaddr=192.168.121.195'
mount.nfs: mount(2): Invalid argument
mount.nfs: trying text-based options 'sec=krb5,addr=192.168.121.54'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: portmap query failed: RPC: Remote system error - No route to host
^C
[vagrant@desktop1 ~]$
啟動服務rpc-gssd.service後,錯誤消失,NFS共享已正確掛載:
[vagrant@desktop1 ~]$ sudo systemctl start rpc-gssd.service
[vagrant@desktop1 ~]$ sudo mount -o sec=krb5 server1:/knfs /knfs -v mount.nfs:
timeout set for Sun Feb 24 09:07:47 2019 mount.nfs: trying text-based options 'sec=krb5,vers=4.1,addr=192.168.121.54,clientaddr=192.168.121.195'
[vagrant@desktop1 ~]$
門票如下:
[vagrant@desktop1 ~]$ sudo klist -e
Ticket cache: KEYRING:persistent:0:krb_ccache_kfAgj83
Default principal: nfs/[email protected]
Valid starting Expires Service principal
01/01/70 00:00:00 01/01/70 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY:
[vagrant@desktop1 ~]$
答案3
我知道它有點舊,但是如果您仍在尋找這個,我也遇到過類似的問題並自己找到了解決方案,您可以在我對問題的回答中找到它“Fedora 26 NFS + Kerberos“預先身份驗證失敗”(掛載導致無權限)”,我很確定 RHEL 可以遵循這些設置
答案4
在 Kerberos 由 FreeIPA 管理的環境中,我在 RHEL 7 伺服器上遇到了類似的問題。一些設定:
此環境是 AD / FreeIPA 環境,其中 FreeIPA(伺服器idm.nix.example.com)對 Windows DC 具有雙向信任dc.example.com。 Linux 和 Windows 伺服器都位於同一子網路中172.16.0.0/24。因此,由於首先建立了 MSAD,因此在配置 FreeIPA 時,不會為nix.example.com主機動態建立反向區域。這是一個已知問題,可透過以下方式追蹤這個 BugZilla。
執行 mount 指令時,出現以下錯誤。 NFS伺服器上沒有對應的錯誤:
[root@idm1 ~]# mount -v -o sec=krb5:krb5i:krb5p -t nfs 172.16.0.9:/share /mnt
mount.nfs: timeout set for Tue Sep 8 21:58:01 2020
mount.nfs: trying text-based options 'sec=krb5:krb5i:krb5p,vers=4.1,addr=172.16.0.9,clientaddr=172.16.0.6'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5:krb5i:krb5p,vers=4.0,addr=172.16.0.9,clientaddr=172.16.0.6'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'sec=krb5:krb5i:krb5p,addr=172.16.0.9'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 172.16.0.9 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 172.16.0.9 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 172.16.0.9:/share
透過更改,我碰巧這樣做systemctl status rpc-gssd.service並收到以下錯誤:
[root@idm1 ~]# systemctl status rpc-gssd.service
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
Active: active (running) since Tue 2020-09-08 15:32:28 EDT; 6h ago
Process: 28217 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 28218 (rpc.gssd)
CGroup: /system.slice/rpc-gssd.service
└─28218 /usr/sbin/rpc.gssd
Sep 08 21:50:39 idm1.nix.example.com rpc.gssd[28218]: **ERROR: unable to resolve 172.16.0.9 to hostname: Name or service not known**
Sep 08 21:50:39 idm1.nix.example.com rpc.gssd[28218]: **ERROR: failed to parse nfs/clntf3/info**
由於此NIX環境沒有動態建立 PTR,因此您必須新增 NFS 伺服器/etc/hosts或手動建立相關 PTR 記錄。您可以透過將 NFS 伺服器新增到以下位置來驗證是否修復了問題/etc/hosts:
[root@idm1 ~]# echo "172.16.0.9 nfs.nix.example.com" >> /etc/hosts
[root@idm1 ~]# ls /mnt
hgfs
[root@idm1 ~]# mount -v -o sec=krb5:krb5i:krb5p -t nfs 172.16.0.9:/share /mnt
mount.nfs: timeout set for Tue Sep 8 22:01:00 2020
mount.nfs: trying text-based options 'sec=krb5:krb5i:krb5p,vers=4.1,addr=172.16.0.9,clientaddr=172.16.0.6'
[root@idm1 ~]# ls /mnt
idm1 idm1-2
長話短說:在 MSAD <-> IPA 信任環境中,請確保某些服務正在為 NFS 等服務提供 PTR 記錄,因為它們不是動態建立的。