Kerberos 인증을 사용하여 NFSv4 공유 폴더를 설정하고 있습니다. 내가 직면한 문제는 클라이언트 컴퓨터에서 사용자로 실행할 때 mount /mnt(아래 fstab 구성 참조) /mnt 디렉터리에 액세스할 수 없다는 것입니다. 나는 이것이 Kerberos 티켓에 대한 권한 때문이라고 생각합니다. 실제로 이렇게 하면 루트에 속한 티켓 하나만 얻습니다.
클라이언트 = 192.168.1.2 및 서버 = 192.168.1.1 둘 다 Ubuntu 18.04.1을 실행 중
명령줄은 다음과 같습니다.
user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'
user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied
user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR
user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]
Valid starting Expires Service principal
10/09/2018 16:53:42 11/09/2018 02:53:42 krbtgt/[email protected]
renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/server.domain.fr@
renew until 11/09/2018 16:53:42
10/09/2018 16:53:42 11/09/2018 02:53:42 nfs/[email protected]
renew until 11/09/2018 16:53:42
root@client:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 nfs/[email protected]
3 nfs/[email protected]
사용자 권한으로 nfs/client.domain.fr을 "kinit"한 다음 mount 명령을 실행하면 /mnt 디렉터리에 액세스할 수 있음을 발견했습니다.
user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab
keytab specified, forcing -k
user@client:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/[email protected]
Valid starting Expires Service principal
10/09/2018 17:22:59 11/09/2018 03:22:59 krbtgt/[email protected]
renew until 11/09/2018 17:22:59
user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx 3 root root 4096 sept. 4 10:30 ./
drwxr-xr-x 24 root root 4096 sept. 4 11:09 ../
drwxrwxrwx 2 root root 4096 sept. 10 16:14 media/
user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR
user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR
[sudo] Mot de passe de user :
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]
Valid starting Expires Service principal
10/09/2018 17:23:35 11/09/2018 03:23:35 krbtgt/[email protected]
renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/server.domain.fr@
renew until 11/09/2018 17:23:35
10/09/2018 17:23:35 11/09/2018 03:23:35 nfs/[email protected]
renew until 11/09/2018 17:23:35
내 구성 파일:
클라이언트 컴퓨터의 /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
server:/ /mnt nfs4 proto=tcp,port=2049,sec=krb5p,noauto,user 0 0
서버의 /etc/fstab:
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
/home/media /export/media none bind 0 0
서버의 /etc/exports:
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/export 192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
uid=1000 및 gid=1000인 사용자가 클라이언트와 서버에 존재합니다. 나는 또한 root_squash 옵션을 시도했습니다.
클라이언트와 서버의 /etc/krb5.conf:
[logging]
default = FILE:/tmp/krb5libs.log
kdc = FILE:/tmp/krb5kdc.log
admin_server = FILE:/tmp/kadmind.log
[libdefaults]
default_realm = DOMAIN.FR
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
DOMAIN.FR = {
kdc = kdc.domain.fr
admin_server = kerberos.domain.fr
default_domain = domain.fr
}
[domain_realm]
.domain.fr = DOMAIN.FR
domain.fr = DOMAIN.FR
서버의 /etc/default/nfs-kernel-server:
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"
클라이언트와 서버의 /etc/default/nfs-common:
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
클라이언트와 서버의 /etc/hosts:
127.0.0.1 localhost
# server
192.168.1.1 server.domain.fr server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr client
kdc의 로그:
sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for krbtgt/[email protected]
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for nfs/[email protected]
이제 받은 티켓은 루트에 속하므로 공유 폴더를 마운트하고 클라이언트 컴퓨터의 루트 사용자를 사용하여 액세스할 수만 있습니다. 사용자 소유의 티켓을 얻을 수 있습니까? 사용자를 사용하여 공유 디렉터리를 마운트하고 이전에 kinit를 실행하지 않고도 액세스할 수 있는지 궁금합니다.