问题:
使用Kerberos挂载nfsv时,身份验证失败,krb5kdc.log显示错误的NFS服务器主体名称。
LOOKING_UP_SERVER: ... host/nfsclient.internal.domain.tld@IPA.DOMAIN.TLD for nfs/containershost.internal.domain.tld@IPA.DOMAIN.TLD
... Server not found in Kerberos database
主体nfs/containershost.internal.domain.tld应为nfs/nfs.internal.domain.tld。
$ dig -x 192.111.111.111
111.111.111.192.in-addr.arpa. 6009 IN PTR containershost.internal.domain.tld.
是否有方法阻止此反向DNS查询的发生?
Docker容器主机
主机名:containershost.internal.domain.tldIP:192.111.111.111
FreeIPA服务器(Docker )
图片: freeipa/freeipa-服务器: centos-8-4.8.4容器名称:freeipaContainer Host : containershost.internal.domain.tld 主机名:freeipa.internal.domain.tldIP:172.222.222.222域:ipa.domain.tldRealm : ipa.domain.tld Keytab :
$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/freeipa.internal.domain.tld@IPA.DOMAIN.TLD
/etc/krb5.?
[libdefaults]
default_realm = IPA.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
[realms]
IPA.DOMAIN.TLD = {
kdc = freeipa.internal.domain.tld:88
master_kdc = freeipa.internal.domain.tld:88
admin_server = freeipa.internal.domain.tld:749
default_domain = ipa.domain.tld
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipa.domain.tld = IPA.DOMAIN.TLD
ipa.domain.tld = IPA.DOMAIN.TLD
freeipa.internal.domain.tld = IPA.DOMAIN.TLD
.internal.domain.tld = IPA.DOMAIN.TLD
internal.domain.tld = IPA.DOMAIN.TLD
NFS服务器(Docker )
图像:ubuntu:latest容器名称:nfs容器主机:containershost.internal.domain.tld主机名:nfs.internal.domain.tldIP:172.333.333.333服务:
- /usr/sbin/rpc.mountd --port 32767 --no-nfs-version 2 --no-nfs-version 3 -F --debug all
- /usr/sbin/rpc.idmapd -S -vvv -f
- /usr/sbin/rpc.nfsd --debug --port 2049 --no-nfs-version 2 --no-nfs-version 3 -L 10 -G 10
- /usr/sbin/rpc.svcgssd -f -vvv -rrr -iii -p nfs/nfs.internal.domain.tld
密钥表:
$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
74 host/nfs.internal.domain.tld@IPA.DOMAIN.TLD
66 nfs/nfs.internal.domain.tld@IPA.DOMAIN.TLD
/etc/krb5.?
[libdefaults]
default_realm = IPA.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
[realms]
IPA.DOMAIN.TLD = {
kdc = freeipa
admin_server = freeipa
default_domain = domain.tld
}
[domain_realm]
.domain.tld = IPA.DOMAIN.TLD
domain.tld = IPA.DOMAIN.TLD
NFS客户端
操作系统:Ubuntu 20.04主机名:nfsclient.internal.domain.tldIP:192.444.444.444密钥表:
$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 host/nfsclient.internal.domain.tld@IPA.DOMAIN.TLD
Mount命令:
$ sudo mount -vvv -t nfs4 -o sec=krb5p 192.111.111.111:/ /mountpoint
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.111.111.111,clientaddr=192.444.444.444'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 192.111.111.111:/
结果
/var/log/krb5kdc.日志:
freeipa krb5kdc[288](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 192.444.444.444: LOOKING_UP_SERVER: authtime 0,
etypes {rep=(0)} host/nfsclient.internal.domain.tld@IPA.DOMAIN.TLD for nfs/containershost.internal.domain.tld@IPA.DOMAIN.TLD,
Server not found in Kerberos database
答案1:
nfs服务器将它自己的名称解析为containershost.internal.domain.tld,因此,它在keytab文件中查找该名称,您可能应该将容器名称显式设置为nfs.internal.domain.tld(在docker-compose中使用-name选项或host指令),或者将另一个条目添加到keytab文件中。