Ubuntu
nfs4 和 kerberos:請求中的主體錯誤
我的客戶端/伺服器都在執行 Ubuntu 14.04,並且 kerberos 使用者身份驗證按預期工作。正常的 nfs4 安裝也可以正常工作。所有機器都在執行 heimdal 庫。
不過,我無法讓 kerberized nfs4 正常工作。
安裝共享時,我在日誌中得到以下條目:
NFS4 伺服器:
Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: leaving poll Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: WARNING: gss_accept_sec_context failed Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: sending null reply Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: writing message: \x \x6082029206092a864886f71201020201006e8202813082027da003020105a10302010ea20703050020000000a382017a6182017630820172a003020105a10b1b09504f4f4c532e534749a22b3029a003020101a12230201b036e66731b197073692e696e666f726d6174696b2e756e692d756c6d2e6465a382012f3082012ba003020112a103020101a282011d04820119a832e1fb8bf9170fa8a1f689868e2e4bacd8d4d1490c1d336b8bd90a61a11c8b669c5204fe73339f0fdab3d4770b78fdd745f5186a94ea55db90dbde79dc6c5b68c7c1ecba74f723c3fa3eb90ea412518c5da92497276b8a6e369ebb381ebdffa5d1d81e635c4e772892541f4c44475a5d87fc352c43c6e7dc6c0b37875383ec828a2d896948588fd84d442b6bf84b988f5e9bd251d2f71ea582709ecae4bd226705d263081f1036a85d0f13c240d740bf4377f7b6409dde7bd52acdcb396ea181cd54146bd93457801dd9edd0fcb1e27467e0f6ef615dae3f69a96060c463128875cbd414d6bf83af55c5132c814b9af5584852e21373fa774c05760e2c58eb719873c06c26acb2858dd6c4a81c89389cfede089df28f3e7ba481e93081e6a003020112a281de0481dbeedce4152a95ffbd19cccdb67033950e3b1c4aa2dca3b4ad147c9676286b726b02d8cc95b5fd842a2676551e10696ed4f3dfd2c91ec0f674a2017e97ab102aa13fefe02281de5116e8a4e62f93a4e0aff431155ae8b77229f71a6c03278e265eb7752b742b491adbbe5589263e19cf61f7b99cb615c97acc5b87a6008151c52ae4d6dd702a2d545cd23425df58ee37609930e0399fb4cf391a07fa08aa66da40a48491ce1fe6a9f58c30d4af039d191aa4f7b8e7c912ab76fcff685fc0ed6a82559f58b454d4cf61c28d3f962bfc43b265ce7d50ca769e1087bbfe 1403429173 851968 2529639056 \x \x Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: finished handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: entering poll Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: leaving poll Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: WARNING: gss_accept_sec_context failed Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - Wrong principal in request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: sending null reply Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: writing message: \x \x6082029206092a864886f71201020201006e8202813082027da003020105a10302010ea20703050020000000a382017a6182017630820172a003020105a10b1b09504f4f4c532e534749a22b3029a003020101a12230201b036e66731b197073692e696e666f726d6174696b2e756e692d756c6d2e6465a382012f3082012ba003020112a103020101a282011d04820119a832e1fb8bf9170fa8a1f689868e2e4bacd8d4d1490c1d336b8bd90a61a11c8b669c5204fe73339f0fdab3d4770b78fdd745f5186a94ea55db90dbde79dc6c5b68c7c1ecba74f723c3fa3eb90ea412518c5da92497276b8a6e369ebb381ebdffa5d1d81e635c4e772892541f4c44475a5d87fc352c43c6e7dc6c0b37875383ec828a2d896948588fd84d442b6bf84b988f5e9bd251d2f71ea582709ecae4bd226705d263081f1036a85d0f13c240d740bf4377f7b6409dde7bd52acdcb396ea181cd54146bd93457801dd9edd0fcb1e27467e0f6ef615dae3f69a96060c463128875cbd414d6bf83af55c5132c814b9af5584852e21373fa774c05760e2c58eb719873c06c26acb2858dd6c4a81c89389cfede089df28f3e7ba481e93081e6a003020112a281de0481dbfb0d5aa8041f95bbe86f7b8e6dcfb68a1c214d89bb8b5a7712b12e1346289ecf947595d783de2e5ceb32146a5a20c900097b495869d6d3b0533eed0407d71ecf7034a0e18805b5bfbdf3f5f543a70dbe86825d5bda491b4cbbe2ace745f4ae1d0e4d60a7fcc2089915236f59d9357f4ec549022c4aab322ed47b168507003fb5768b9e4c77c57b88b7f74b007dc0837ed560d9af6103aa105f53ecbc7b53c5e9170ad0add67b14a988b1388f93558cc43c4622eea107482e4f320ebbee3fe48acceb5e3e70a33f5ac7a5923c4251b1625e75179096c8b3de7fd934 1403429173 851968 2529639056 \x \x Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: finished handling null request Jun 22 11:25:13 SERVER rpc.svcgssd[7349]: entering poll
導出文件:
/srv XXX.XXX.209.0/24(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv tip*.example.com(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv pclab*.example.com(fsid=0,rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home tip*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home pclab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home XXX.XXX.208.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/home wslab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs XXX.XXX.209.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs tip*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs pclab*.example.com(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p) /srv/grpdrvs XXX.XXX.208.0/24(rw,no_subtree_check,root_squash,async,sec=sys:krb5:krb5i:krb5p)
/etc/主機:
127.0.0.1 localhost XXX.XXX.209.52 SERVER.example.com SERVER # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
伺服器和客戶端:
/etc/idmapd:
[General] Verbosity = 5 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname Domain = example.com Local-Realms = REALM [Mapping] Nobody-User = nobody Nobody-Group = nogroup
NFS4 客戶端:
掛載請求:
mount -t nfs4 -o sec=krb5 SERVER:/ /mnt/temp/ -vvvv mount: fstab path: "/etc/fstab" mount: mtab path: "/etc/mtab" mount: lock path: "/etc/mtab~" mount: temp path: "/etc/mtab.tmp" mount: UID: 0 mount: eUID: 0 mount: spec: "SERVER:/" mount: node: "/mnt/temp/" mount: types: "nfs4" mount: opts: "sec=krb5" mount: external mount: argv[0] = "/sbin/mount.nfs4" mount: external mount: argv[1] = "SERVER:/" mount: external mount: argv[2] = "/mnt/temp/" mount: external mount: argv[3] = "-v" mount: external mount: argv[4] = "-o" mount: external mount: argv[5] = "rw,sec=krb5" mount.nfs4: timeout set for Sun Jun 22 11:24:33 2014 mount.nfs4: trying text-based options 'sec=krb5,addr=XXX.XXX.XXX.52,clientaddr=XXX.XXX.XXX.42' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting SERVER:/
客戶端日誌:
Jun 22 11:25:13 CLIENT rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clnt0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Jun 22 11:25:13 CLIENT rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clnt0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: process_krb5_upcall: service is '<null>' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'SERVER.example.com' is 'SERVER.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'CLIENT.example.com' is 'CLIENT.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for root/CLIENT.example.com@REALM while getting keytab entry for 'root/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Success getting keytab entry for 'nfs/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using FILE:/tmp/krb5ccmachine_REALM as credentials cache for machine creds Jun 22 11:25:13 CLIENT rpc.gssd[708]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_REALM Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context using fsuid 0 (save_uid 0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating tcp client for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: DEBUG: port already set to 2049 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context with server nfs@SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create krb5 context for user with uid 0 for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_REALM for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'SERVER.example.com' is 'SERVER.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Full hostname for 'CLIENT.example.com' is 'CLIENT.example.com' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for CLIENT$@REALM while getting keytab entry for 'CLIENT$@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: No key table entry found for root/CLIENT.example.com@REALM while getting keytab entry for 'root/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: Success getting keytab entry for 'nfs/CLIENT.example.com@' Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_REALM' are good until 1403514481 Jun 22 11:25:13 CLIENT rpc.gssd[708]: using FILE:/tmp/krb5ccmachine_REALM as credentials cache for machine creds Jun 22 11:25:13 CLIENT rpc.gssd[708]: using environment variable to select krb5 ccache FILE:/tmp/krb5ccmachine_REALM Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context using fsuid 0 (save_uid 0) Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating tcp client for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: DEBUG: port already set to 2049 Jun 22 11:25:13 CLIENT rpc.gssd[708]: creating context with server nfs@SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create krb5 context for user with uid 0 for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5ccmachine_REALM for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: WARNING: Failed to create machine krb5 context with any credentials cache for server SERVER.example.com Jun 22 11:25:13 CLIENT rpc.gssd[708]: doing error downcall Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfs/clnte Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clntd Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt7 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt6 Jun 22 11:25:13 CLIENT rpc.gssd[708]: destroying client /run/rpc_pipefs/nfsd4_cb/clnt5
客戶端密鑰表:
% ktutil list FILE:/etc/krb5.keytab: Vno Type Principal Aliases 1 aes256-cts-hmac-sha1-96 host/CLIENT.example.com@REALM 1 des3-cbc-sha1 host/CLIENT.example.com@REALM 1 arcfour-hmac-md5 host/CLIENT.example.com@REALM 1 aes256-cts-hmac-sha1-96 nfs/CLIENT.example.com@REALM 1 des3-cbc-sha1 nfs/CLIENT.example.com@REALM 1 arcfour-hmac-md5 nfs/CLIENT.example.com@REALM
客戶端憑據記憶體:
% klist -c /tmp/krb5ccmachine_REALM Credentials cache: FILE:/tmp/krb5ccmachine_REALM Principal: nfs/CLIENT.example.com@REALM Issued Expires Principal Jun 22 13:55:01 2014 Jun 23 13:55:01 2014 krbtgt/REALM@REALM Jun 22 13:55:01 2014 Jun 23 13:55:01 2014 nfs/SERVER.example.com@REALM
客戶端 /etc/hosts:
127.0.0.1 localhost XXX.XXX.209.17 CLIENT.example.com CLIENT
DNS相關:
反向DNS:
% host XXX.XXX.209.17 17.209.XXX.XXX.in-addr.arpa domain name pointer CLIENT.example.com. % host XXX.XXX.209.52 52.209.XXX.XXX.in-addr.arpa domain name pointer SERVER.example.com.
從伺服器獲取主機:
root@SERVER:~# getent hosts CLIENT.example.com XXX.XXX.209.17 CLIENT.example.com root@SERVER:~# getent hosts SERVER.example.com XXX.XXX.209.52 SERVER.example.com SERVER
來自 CLIENT 的 getent 主機:
CLIENT 00:03:32 # getent hosts SERVER.example.com XXX.XXX.209.52 SERVER.example.com CLIENT 00:03:41 # getent hosts CLIENT.example.com XXX.XXX.209.17 CLIENT.example.com CLIENT
我已經調試這個問題好幾個星期了,但到目前為止我還沒有找到解決方案。
我找到了解決方案:
查看 rpc.svcgssd 守護程序的 strace,我看到在錯誤發生之前打開的最後一個文件是
/etc/krb5.keytab
.伺服器上的密鑰表是使用
kadmin
“kadmin/admin”的 kinit 生成的。SERVER 上的A
kinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM
導緻密碼無效錯誤。所以我刪除了 keytab 並使用kadmin -l
. 我的使用者的密鑰表可能存在問題kadmin/admin
,導緻密鑰表損壞。我還沒有調查這個問題。在我創建了一個新的 keytab 之後,nfs4+krb5 掛載成功了。
感謝您的回答,他們對縮小問題範圍有很大幫助。
因此,對於遇到類似問題的任何人:
- 嘗試
kinit
使用每個涉及的主機上的服務票證kinit -k -t /etc/krb5.keytab nfs/SERVER.example.com@REALM
strace -p $(pidof rpc.svcgssd) -s4096 -e trace=open,close,read,write
在錯誤發生之前執行並檢查發生了什麼。- 從我讀過的所有內容來看,如果機器
127.0.0.1
對其主機名有映射,通常會發生“錯誤的主體”錯誤。