Ubuntu

nfs4 和 kerberos:請求中的主體錯誤

  • January 27, 2016

我的客戶端/伺服器都在執行 Ubuntu 14.04,並且 kerberos 使用者身份驗證按預期工作。正常的 nfs4 安裝也可以正常工作。所有機器都在執行 heimdal 庫。

不過,我無法讓 kerberized nfs4 正常工作。

安裝共享時,我在日誌中得到以下條目:

NFS4 伺服器:

 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: leaving poll
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: handling null request
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: WARNING: gss_accept_sec_context failed
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Wrong principal in request
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: sending null reply
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: writing message: \x \x6082029206092a864886f71201020201006e8202813082027da003020105a10302010ea20703050020000000a382017a6182017630820172a003020105a10b1b09504f4f4c532e534749a22b3029a003020101a12230201b036e66731b197073692e696e666f726d6174696b2e756e692d756c6d2e6465a382012f3082012ba003020112a103020101a282011d04820119a832e1fb8bf9170fa8a1f689868e2e4bacd8d4d1490c1d336b8bd90a61a11c8b669c5204fe73339f0fdab3d4770b78fdd745f5186a94ea55db90dbde79dc6c5b68c7c1ecba74f723c3fa3eb90ea412518c5da92497276b8a6e369ebb381ebdffa5d1d81e635c4e772892541f4c44475a5d87fc352c43c6e7dc6c0b37875383ec828a2d896948588fd84d442b6bf84b988f5e9bd251d2f71ea582709ecae4bd226705d263081f1036a85d0f13c240d740bf4377f7b6409dde7bd52acdcb396ea181cd54146bd93457801dd9edd0fcb1e27467e0f6ef615dae3f69a96060c463128875cbd414d6bf83af55c5132c814b9af5584852e21373fa774c05760e2c58eb719873c06c26acb2858dd6c4a81c89389cfede089df28f3e7ba481e93081e6a003020112a281de0481dbeedce4152a95ffbd19cccdb67033950e3b1c4aa2dca3b4ad147c9676286b726b02d8cc95b5fd842a2676551e10696ed4f3dfd2c91ec0f674a2017e97ab102aa13fefe02281de5116e8a4e62f93a4e0aff431155ae8b77229f71a6c03278e265eb7752b742b491adbbe5589263e19cf61f7b99cb615c97acc5b87a6008151c52ae4d6dd702a2d545cd23425df58ee37609930e0399fb4cf391a07fa08aa66da40a48491ce1fe6a9f58c30d4af039d191aa4f7b8e7c912ab76fcff685fc0ed6a82559f58b454d4cf61c28d3f962bfc43b265ce7d50ca769e1087bbfe 1403429173 851968 2529639056 \x \x 
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: finished handling null request
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: entering poll
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: leaving poll
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: handling null request
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: WARNING: gss_accept_sec_context failed
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Wrong principal in request
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: sending null reply
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: writing message: \x \x6082029206092a864886f71201020201006e8202813082027da003020105a10302010ea20703050020000000a382017a6182017630820172a003020105a10b1b09504f4f4c532e534749a22b3029a003020101a12230201b036e66731b197073692e696e666f726d6174696b2e756e692d756c6d2e6465a382012f3082012ba003020112a103020101a282011d04820119a832e1fb8bf9170fa8a1f689868e2e4bacd8d4d1490c1d336b8bd90a61a11c8b669c5204fe73339f0fdab3d4770b78fdd745f5186a94ea55db90dbde79dc6c5b68c7c1ecba74f723c3fa3eb90ea412518c5da92497276b8a6e369ebb381ebdffa5d1d81e635c4e772892541f4c44475a5d87fc352c43c6e7dc6c0b37875383ec828a2d896948588fd84d442b6bf84b988f5e9bd251d2f71ea582709ecae4bd226705d263081f1036a85d0f13c240d740bf4377f7b6409dde7bd52acdcb396ea181cd54146bd93457801dd9edd0fcb1e27467e0f6ef615dae3f69a96060c463128875cbd414d6bf83af55c5132c814b9af5584852e21373fa774c05760e2c58eb719873c06c26acb2858dd6c4a81c89389cfede089df28f3e7ba481e93081e6a003020112a281de0481dbfb0d5aa8041f95bbe86f7b8e6dcfb68a1c214d89bb8b5a7712b12e1346289ecf947595d783de2e5ceb32146a5a20c900097b495869d6d3b0533eed0407d71ecf7034a0e18805b5bfbdf3f5f543a70dbe86825d5bda491b4cbbe2ace745f4ae1d0e4d60a7fcc2089915236f59d9357f4ec549022c4aab322ed47b168507003fb5768b9e4c77c57b88b7f74b007dc0837ed560d9af6103aa105f53ecbc7b53c5e9170ad0add67b14a988b1388f93558cc43c4622eea107482e4f320ebbee3fe48acceb5e3e70a33f5ac7a5923c4251b1625e75179096c8b3de7fd934 1403429173 851968 2529639056 \x \x 
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: finished handling null request
 Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: entering poll

導出文件:

/srv XXX.XXX.209.0/24(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                                          
/srv tip*.example.com(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                               
/srv pclab*.example.com(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                             
                                                                   
/srv/home XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                                            
/srv/home tip*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                                 
/srv/home pclab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                               
/srv/home XXX.XXX.208.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                                            
/srv/home wslab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                               
                                                                   
/srv/grpdrvs XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                                         
/srv/grpdrvs tip*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                              
/srv/grpdrvs pclab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                            
/srv/grpdrvs XXX.XXX.208.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)                                         
                               

/etc/主機:

127.0.0.1       localhost
XXX.XXX.209.52   SERVER.example.com      SERVER

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

伺服器和客戶端:

/etc/idmapd:

[General]

Verbosity = 5
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
Domain = example.com
Local-Realms = REALM
[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

NFS4 客戶端:

掛載請求:

 mount -t nfs4 -o sec=krb5 SERVER:/ /mnt/temp/ -vvvv
 mount: fstab path: "/etc/fstab"
 mount: mtab path:  "/etc/mtab"
 mount: lock path:  "/etc/mtab~"
 mount: temp path:  "/etc/mtab.tmp"
 mount: UID:        0
 mount: eUID:       0
 mount: spec:  "SERVER:/"
 mount: node:  "/mnt/temp/"
 mount: types: "nfs4"
 mount: opts:  "sec=krb5"
 mount: external mount: argv[0] = "/sbin/mount.nfs4"
 mount: external mount: argv[1] = "SERVER:/"
 mount: external mount: argv[2] = "/mnt/temp/"
 mount: external mount: argv[3] = "-v"
 mount: external mount: argv[4] = "-o"
 mount: external mount: argv[5] = "rw,sec=krb5"
 mount.nfs4: timeout set for Sun Jun 22 11:24:33 2014
 mount.nfs4: trying text-based options 'sec=krb5,addr=XXX.XXX.XXX.52,clientaddr=XXX.XXX.XXX.42'
 mount.nfs4: mount(2): Permission denied
 mount.nfs4: access denied by server while mounting SERVER:/

客戶端日誌:

 Jun 22 11:25:13 CLIENT rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt0)
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt0)
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: process_krb5_upcall: service is '<null>'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'SERVER.example.com' is 'SERVER.example.com'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'CLIENT.example.com' is 'CLIENT.example.com'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for root/CLIENT.example.com@REALM while getting keytab entry for 'root/CLIENT.example.com@'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: Success getting keytab entry for 'nfs/CLIENT.example.com@'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using FILE:/tmp/krb5ccmachine_REALM as credentials cache for machine creds
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_REALM
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context using fsuid 0 (save_uid 0)
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating tcp client for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: DEBUG: port already set to 2049
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context with server nfs@SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create krb5 context for user with uid 0 for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_REALM for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'SERVER.example.com' is 'SERVER.example.com'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'CLIENT.example.com' is 'CLIENT.example.com'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for root/CLIENT.example.com@REALM while getting keytab entry for 'root/CLIENT.example.com@'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: Success getting keytab entry for 'nfs/CLIENT.example.com@'
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using FILE:/tmp/krb5ccmachine_REALM as credentials cache for machine creds
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_REALM
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context using fsuid 0 (save_uid 0)
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating tcp client for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: DEBUG: port already set to 2049
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context with server nfs@SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create krb5 context for user with uid 0 for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_REALM for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with any credentials cache for server SERVER.example.com
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: doing error downcall
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfs/clnte
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clntd
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt7
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt6
 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt5

客戶端密鑰表:

% ktutil list                                                                                                             
FILE:/etc/krb5.keytab:

Vno  Type                     Principal                                     Aliases
 1  aes256-cts-hmac-sha1-96  host/CLIENT.example.com@REALM 
 1  des3-cbc-sha1            host/CLIENT.example.com@REALM 
 1  arcfour-hmac-md5         host/CLIENT.example.com@REALM 
 1  aes256-cts-hmac-sha1-96  nfs/CLIENT.example.com@REALM  
 1  des3-cbc-sha1            nfs/CLIENT.example.com@REALM  
 1  arcfour-hmac-md5         nfs/CLIENT.example.com@REALM  

客戶端憑據記憶體:

% klist -c /tmp/krb5ccmachine_REALM                                                            
Credentials cache: FILE:/tmp/krb5ccmachine_REALM
   Principal: nfs/CLIENT.example.com@REALM

 Issued                Expires               Principal
Jun 22 13:55:01 2014  Jun 23 13:55:01 2014  krbtgt/REALM@REALM
Jun 22 13:55:01 2014  Jun 23 13:55:01 2014  nfs/SERVER.example.com@REALM

客戶端 /etc/hosts:

127.0.0.1 localhost
XXX.XXX.209.17 CLIENT.example.com CLIENT

DNS相關:

反向DNS:

% host XXX.XXX.209.17
17.209.XXX.XXX.in-addr.arpa domain name pointer CLIENT.example.com.
% host XXX.XXX.209.52
52.209.XXX.XXX.in-addr.arpa domain name pointer SERVER.example.com.

從伺服器獲取主機:

root@SERVER:~# getent hosts CLIENT.example.com
XXX.XXX.209.17   CLIENT.example.com
root@SERVER:~# getent hosts SERVER.example.com
XXX.XXX.209.52   SERVER.example.com SERVER

來自 CLIENT 的 getent 主機:

CLIENT 00:03:32 # getent hosts SERVER.example.com
XXX.XXX.209.52   SERVER.example.com
CLIENT 00:03:41 # getent hosts CLIENT.example.com
XXX.XXX.209.17   CLIENT.example.com CLIENT

我已經調試這個問題好幾個星期了,但到目前為止我還沒有找到解決方案。

我找到了解決方案:

查看 rpc.svcgssd 守護程序的 strace,我看到在錯誤發生之前打開的最後一個文件是/etc/krb5.keytab.

伺服器上的密鑰表是使用kadmin“kadmin/admin”的 kinit 生成的。

SERVER 上的Akinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM導緻密碼無效錯誤。所以我刪除了 keytab 並使用kadmin -l. 我的使用者的密鑰表可能存在問題kadmin/admin,導緻密鑰表損壞。我還沒有調查這個問題。

在我創建了一個新的 keytab 之後,nfs4+krb5 掛載成功了。

感謝您的回答,他們對縮小問題範圍有很大幫助。

因此,對於遇到類似問題的任何人:

  1. 嘗試kinit使用每個涉及的主機上的服務票證kinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM
  2. strace -p $(pidof rpc.svcgssd) -s4096 -e trace=open,close,read,write在錯誤發生之前執行並檢查發生了什麼。
  3. 從我讀過的所有內容來看,如果機器127.0.0.1對其主機名有映射,通常會發生“錯誤的主體”錯誤。

引用自:https://serverfault.com/questions/607081