為什麼在掛載 Kerberized NFS 共享時出現「無憑證快取」錯誤?

tag-icon tag-icon centos nfs kerberos
為什麼在掛載 Kerberized NFS 共享時出現「無憑證快取」錯誤?

我在本地網路上有兩個系統:nfsclient (CentOS 7) 和 nfsserver (CentOS 6)。這些名稱正確解析為它們的 IP 位址,並且 Kerberos 在它們之間運行(nfsserver 是 KDC)。我在 nfsserver 上導出了 Kerberized NFSv4 共用;我的/etc/exports如下:

/export                 *(rw,sync,fsid=0,no_subtree_check,sec=krb5p)                   
/export/home            *(rw,sync,no_subtree_check,no_root_squash,sec=krb5p)

我可以從 nfsclient 看到這些導出:

[root@nfsclient ~]# showmount -e nfsserver
Export list for nfsserver:
/export/home *
/export      *

如果我刪除 /etc/exports 中的 sec=krb5p 選項,我可以使用 nfsclient 掛載共用

[root@nfsclient ~]# mount -t nfs4 nfsserver:/ /mnt/nfs

然而,當 NFS 採用 Kerberos 時,事情就沒那麼順利了:

[root@nfsclient ~]# mount -t nfs4 -o sec=krb5p nfsserver:/ /mnt/nfs
mount.nfs4: access denied by server while mounting nfsserver:/

這伴隨著 /var/log/messages 中一系列重複的錯誤訊息:

Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Jun 22 19:55:02 oxo gssproxy: gssproxy[769]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

伺服器上的日誌中沒有顯示任何內容。在客戶端上執行 klist 顯示 root 在 /tmp/krb5cc_0 處有憑證緩存,因此我認為 gss-proxy 有問題。

/etc/gssproxy/gssproxy.conf:

[gssproxy]

[service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48

[service/nfs-server]
  mechs = krb5
  socket = /run/gssproxy.sock
  cred_store = keytab:/etc/krb5.keytab
  trusted = yes
  kernel_nfsd = yes
  euid = 0

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0

因此 gss-proxy 必須在 /var/lib/gssproxy/clients 中尋找憑證快取。它還從 /etc/krb5.keytab 取得金鑰(其中包含主體 nfs/nfsclient 和 host/nfsclient 的金鑰)。但是,nfsclient 上的 /var/lib/gssproxy/clients 似乎總是為空。

我在這裡錯過了什麼嗎?我無法弄清楚安裝此共享到底出了什麼問題。

答案1

定義快取路徑時的預設檔案配置有問題。嘗試使用以下客戶端配置/etc/gssproxy/gssproxy.conf

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/tmp/krb5cc_%U
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0
  debug = true

答案2

確保您的客戶端已加入網域。

ipa-client-install --force-join

然後確保您有票

kinit admin

然後仔細檢查 krb5.keytab

restorecon -v /etc/krb5.keytab

確保您的用戶端位於金鑰表中

kinit -k

host/ < client > . < domain > @REALM

然後你應該能夠安裝sec=krb5p

相關內容