Ldap

帶有 samba、sssd、openldap、kerberos 的 autofs

  • March 8, 2020

我想用 autofs 掛載一個 samba 共享。

srv.xxxxxxx.net 是 samba 伺服器(proxmox 容器,Debian 10)

ldap2.xxxxxxx.net 是 openldap(proxmox 容器,Debian 10)

gui.xxxxxxx.net 是客戶端(proxmox vm,Ubuntu 18.04)

Samba 以獨立模式執行(無活動目錄)

共享為 /srv/test

ls -l /srv/
drwxrwxrwx 2 test05 Domain Users 4096 Feb  8 11:41 test

autofs 配置保存在 openldap 中

dn: cn=test,ou=auto.mnt,ou=automount,ou=services,dc=lan,dc=xxxxxxx,dc=net
cn: test
objectClass: automount
objectClass: top
description: /srv/test on Samba
automountInformation: -fstype=cifs,multiuser,user=${USER},cruid=test05,sec=krb5 ://srv.xxxxxxx.net/test

/etc/autofs_ldap_auth.conf

   <?xml version="1.0" ?>
   <autofs_ldap_sasl_conf
           usetls="no"
           tlsrequired="no"
           authrequired="yes"
           authtype="GSSAPI"
           clientprinc="host/gui.xxxxxxx.net"
   />

啟動服務 autofs 時,會創建掛載點

ls -lisa /mnt
insgesamt 4
22776 0 drwxr-xr-x  4 root root    0 mars   2 15:25 .
   2 4 drwxr-xr-x 25 root root 4096 mars   2 10:02 ..
22778 0 dr-xr-xr-x  2 root root    0 mars   2 15:25 exchange
22777 0 dr-xr-xr-x  2 root root    0 mars   2 15:25 test   <---- created by autofs

但是當使用者嘗試 cd 進入測試目錄時,他得到一個錯誤

test05@gui:/mnt$ cd test
bash: cd: test: File or directory not found (translated from german)

在自動掛載日誌中,我發現了這條消息

cifs.upcall: get_tgt_time: unable to get principal

我認為這是我的問題,但我不知道如何解決它。

當我將我的日誌與我在 google 上找到的其他日誌進行比較時,我發現 ccache 類型有所不同。

在我的日誌中

cifs.upcall: get_cachename_from_process_env: pathname=/proc/2239/environ
cifs.upcall: get_cachename_from_process_env: cachename = MEMORY:_autofstkt
cifs.upcall: get_existing_cc: default ccache is MEMORY:_autofstkt

在所有其他日誌中,我發現類似

cifs.upcall: get_cachename_from_process_env: pathname=/proc/1234/environ  
cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_12345678  

這是我的配置錯誤嗎?

NSS 和 kerberos 身份驗證似乎有效:

klist
Ticket cache: FILE:/tmp/krb5cc_10105_YxoDWF
Default principal: test05@XXXXXXX.NET
id test05
uid=10105(test05) gid=512(Domain Admins) Gruppen=512(Domain Admins)
ldapwhoami
SASL/GSSAPI authentication started
SASL username: test05@XXXXXXX.NET
SASL SSF: 56
SASL data security layer installed.
dn:uid=test05,ou=users,dc=lan,dc=xxxxxxx,dc=net

自動掛載日誌

Mar  2 16:01:28 gui automount[808]: handle_packet: type = 3
Mar  2 16:01:28 gui automount[808]: handle_packet_missing_indirect: token 9, name test, request pid 1753
Mar  2 16:01:28 gui automount[808]: attempting to mount entry /mnt/test
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): expanded entry: -fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5 ://srv.xxxxxxx.net/test
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): gathered options: fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): dequote("://srv.xxxxxxx.net/test") -> ://srv.xxxxxxx.net/test
Mar  2 16:01:28 gui automount[808]: parse_mount: parse(sun): core of entry: options=fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5, loc=://srv.xxxxxxx.net/test
Mar  2 16:01:28 gui automount[808]: sun_mount: parse(sun): mounting root /mnt, mountpoint test, what //srv.xxxxxxx.net/test, fstype cifs, options multiuser,user=test05,cruid=test05,sec=krb5
Mar  2 16:01:28 gui automount[808]: do_mount: //srv.xxxxxxx.net/test /mnt/test type cifs options multiuser,user=test05,cruid=test05,sec=krb5 using module generic
Mar  2 16:01:28 gui automount[808]: mount_mount: mount(generic): calling mkdir_path /mnt/test
Mar  2 16:01:28 gui automount[808]: mount_mount: mount(generic): calling mount -t cifs -o multiuser,user=test05,cruid=test05,sec=krb5 //srv.xxxxxxx.net/test /mnt/test
Mar  2 16:01:28 gui kernel: [ 2177.233113] CIFS: Attempting to mount //srv.xxxxxxx.net/test
Mar  2 16:01:28 gui kernel: [ 2177.233133] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Mar  2 16:01:28 gui cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv.xxxxxxx.net;ip4=192.168.1.121;sec=krb5;uid=0x0;creduid=0x2779;user=test05;pid=0x8bf
Mar  2 16:01:28 gui cifs.upcall: ver=2
Mar  2 16:01:28 gui cifs.upcall: host=srv.xxxxxxx.net
Mar  2 16:01:28 gui cifs.upcall: ip=192.168.1.121
Mar  2 16:01:28 gui cifs.upcall: sec=1
Mar  2 16:01:28 gui cifs.upcall: uid=0
Mar  2 16:01:28 gui cifs.upcall: creduid=10105
Mar  2 16:01:28 gui cifs.upcall: user=test05
Mar  2 16:01:28 gui cifs.upcall: pid=2239
Mar  2 16:01:28 gui cifs.upcall: get_cachename_from_process_env: pathname=/proc/2239/environ
Mar  2 16:01:28 gui cifs.upcall: get_cachename_from_process_env: cachename = MEMORY:_autofstkt
Mar  2 16:01:28 gui cifs.upcall: get_existing_cc: default ccache is MEMORY:_autofstkt
Mar  2 16:01:28 gui kernel: [ 2177.243918] CIFS VFS: Send error in SessSetup = -126
Mar  2 16:01:28 gui kernel: [ 2177.243931] CIFS VFS: cifs_mount failed w/return code = -2
Mar  2 16:01:28 gui cifs.upcall: get_tgt_time: unable to get principal
Mar  2 16:01:28 gui cifs.upcall: krb5_get_init_creds_keytab: -1765328174
Mar  2 16:01:28 gui cifs.upcall: Exit status 1
Mar  2 16:01:28 gui automount[808]: >> mount error(2): No such file or directory
Mar  2 16:01:28 gui automount[808]: >> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Mar  2 16:01:28 gui automount[808]: mount(generic): failed to mount //srv.xxxxxxx.net/test (type cifs) on /mnt/test
Mar  2 16:01:28 gui automount[808]: dev_ioctl_send_fail: token = 9
Mar  2 16:01:28 gui automount[808]: failed to mount /mnt/test
Mar  2 16:01:28 gui automount[808]: handle_packet: type = 3
Mar  2 16:01:28 gui automount[808]: handle_packet_missing_indirect: token 10, name test, request pid 1753
Mar  2 16:01:28 gui automount[808]: dev_ioctl_send_fail: token = 10

sssd日誌

==> /var/log/sssd/sssd_nss.log <==
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 10105
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #257: New request 'User by ID'
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #257: Performing a multi-domain search
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #257: Search will check the cache and check the data provider
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #257: Using domain [xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #257: Looking up UID:10105@xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #257: Checking negative cache for [UID:10105@xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #257: [UID:10105@xxxxxxx.net] is not present in negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #257: Looking up [UID:10105@xxxxxxx.net] in cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #257: Returning [UID:10105@xxxxxxx.net] from cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #257: Filtering out results by negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #257: Found 1 entries in domain xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #257: Finished: Success
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 512
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #258: New request 'Group by ID'
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #258: Performing a multi-domain search
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #258: Search will check the cache and check the data provider
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #258: Using domain [xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #258: Looking up GID:512@xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #258: Checking negative cache for [GID:512@xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #258: [GID:512@xxxxxxx.net] is not present in negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #258: Looking up [GID:512@xxxxxxx.net] in cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #258: Object found, but needs to be refreshed.
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #258: Performing midpoint cache update of [GID:512@xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x558d3052be70:2:512@xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [xxxxxxx.net][0x2][BE_REQ_GROUP][idnumber=512:-]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x558d3052be70:2:512@xxxxxxx.net]
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #258: Filtering out results by negative cache
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #258: Found 1 entries in domain xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #258: Finished: Success
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [nss_protocol_fill_members] (0x0400): Group [Domain Admins] member [root@xxxxxxx.net] filtered out! (negative cache)

==> /var/log/sssd/sssd_xxxxxxx.net.log <==
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][idnumber=512]
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): DP Request [Account #34]: New request. Flags [0x0001].
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=lan,dc=xxxxxxx,dc=net]
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=512)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=lan,dc=xxxxxxx,dc=net].
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_process_missing_member_2307] (0x0400): Adding a ghost entry
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_save_group] (0x0400): Processing group Domain Admins@xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_process_ghost_members] (0x0400): Group has 1 members
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_save_group] (0x0400): Storing info for group Domain Admins@xxxxxxx.net
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_done] (0x0400): DP Request [Account #34]: Request handler finished [0]: Erfolg
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [_dp_req_recv] (0x0400): DP Request [Account #34]: Receiving request data.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #34]: Finished. Success.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::xxxxxxx.net:idnumber=512] from reply table
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): DP Request [Account #34]: Request removed.
(Mon Mar  2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0

==> /var/log/sssd/sssd_nss.log <==
(Mon Mar  2 16:01:28 2020) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x558d3052be70:2:512@xxxxxxx.net]

ldap 日誌

Mar  2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SRCH base="dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(gidNumber=512)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
Mar  2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 fd=25 ACCEPT from IP=192.168.1.130:48108 (IP=0.0.0.0:389)
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=0 BIND dn="" method=163
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: 
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=1 BIND dn="" method=163
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: 
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND dn="" method=163
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND authcid="host/gui.xxxxxxx.net@XXXXXXX.NET" authzid="host/gui.xxxxxxx.net@XXXXXXX.NET"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND dn="cn=gui,ou=hosts,ou=sssd,ou=services,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=0 ssf=0
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 RESULT tag=97 err=0 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SRCH base="ou=auto.mnt,ou=automount,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(objectClass=automount)(|(cn=test)(cn=/)(cn=\2A)))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SRCH attr=cn automountInformation
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 op=4 UNBIND
Mar  2 15:01:28 ldap2 slapd[359]: conn=1237 fd=25 closed
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SRCH base="cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=test05@XXXXXXX.NET))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SRCH base="cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/XXXXXXX.NET@XXXXXXX.NET))"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SRCH base="cn=user,cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SRCH attr=cn krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval krbpwdlockoutduration krbpwdattributes krbpwdmaxlife krbpwdmaxrenewablelife krbpwdallowedkeysalts
Mar  2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SEARCH RESULT tag=101 err=0 nentries=1 text=

感謝您花時間查看我的問題

編輯:

/etc/krb5.conf(每台主機都一樣)

[libdefaults]
   default_realm = XXXXXXX.NET
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true

[realms]
   XXXXXXX.NET = {
       kdc = kerb.xxxxxxx.net
       admin_server = kerb.xxxxxxx.net
   }   
[domain_realm]
       .xxxxxxx.net = XXXXXXX.NET
       xxxxxxx.net = XXXXXXX.NET
[logging]
   default = FILE:/var/log/krb5.log

我發現了問題。

在 srv.xxxxxxx.net 我必須安裝包keyutils

但是現在當我嘗試掛載 samba 共享時,我遇到了另一種奇怪的行為。我會為此提出一個新問題。

使用 autofs 掛載 samba 共享時的奇怪行為

引用自:https://serverfault.com/questions/1005327