NFS/krb5身份验证服务器查找由于主体名称错误而失败

分享于 

6分钟阅读

互联网

  繁體

问题:

使用Kerberos挂载nfsv时,身份验证失败,krb5kdc.log显示错误的NFS服务器主体名称。


LOOKING_UP_SERVER: ... host/nfsclient.internal.domain.tld@IPA.DOMAIN.TLD for nfs/containershost.internal.domain.tld@IPA.DOMAIN.TLD


... Server not found in Kerberos database



主体nfs/containershost.internal.domain.tld应为nfs/nfs.internal.domain.tld。


$ dig -x 192.111.111.111


111.111.111.192.in-addr.arpa. 6009 IN PTR containershost.internal.domain.tld.



是否有方法阻止此反向DNS查询的发生?

Docker容器主机

主机名:containershost.internal.domain.tldIP:192.111.111.111

FreeIPA服务器(Docker )

图片: freeipa/freeipa-服务器: centos-8-4.8.4容器名称:freeipaContainer Host : containershost.internal.domain.tld 主机名:freeipa.internal.domain.tldIP:172.222.222.222域:ipa.domain.tldRealm : ipa.domain.tld Keytab :


$ klist -k /etc/krb5.keytab


Keytab name: FILE:/etc/krb5.keytab


KVNO Principal


---- --------------------------------------------------------------------------


 2 host/freeipa.internal.domain.tld@IPA.DOMAIN.TLD



/etc/krb5.?


[libdefaults]


 default_realm = IPA.DOMAIN.TLD


 dns_lookup_realm = false


 dns_lookup_kdc = true


 rdns = false


 ticket_lifetime = 24h


 forwardable = true


 udp_preference_limit = 0



[realms]


 IPA.DOMAIN.TLD = {


 kdc = freeipa.internal.domain.tld:88


 master_kdc = freeipa.internal.domain.tld:88


 admin_server = freeipa.internal.domain.tld:749


 default_domain = ipa.domain.tld


 pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem


 pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem


 }



[domain_realm]


 .ipa.domain.tld = IPA.DOMAIN.TLD


 ipa.domain.tld = IPA.DOMAIN.TLD


 freeipa.internal.domain.tld = IPA.DOMAIN.TLD


 .internal.domain.tld = IPA.DOMAIN.TLD


 internal.domain.tld = IPA.DOMAIN.TLD




NFS服务器(Docker )

图像:ubuntu:latest容器名称:nfs容器主机:containershost.internal.domain.tld主机名:nfs.internal.domain.tldIP:172.333.333.333服务:


- /usr/sbin/rpc.mountd --port 32767 --no-nfs-version 2 --no-nfs-version 3 -F --debug all


- /usr/sbin/rpc.idmapd -S -vvv -f


- /usr/sbin/rpc.nfsd --debug --port 2049 --no-nfs-version 2 --no-nfs-version 3 -L 10 -G 10


- /usr/sbin/rpc.svcgssd -f -vvv -rrr -iii -p nfs/nfs.internal.domain.tld



密钥表:


$ klist -k /etc/krb5.keytab


Keytab name: FILE:/etc/krb5.keytab


KVNO Principal


---- --------------------------------------------------------------------------


 74 host/nfs.internal.domain.tld@IPA.DOMAIN.TLD


 66 nfs/nfs.internal.domain.tld@IPA.DOMAIN.TLD



/etc/krb5.?


[libdefaults]


 default_realm = IPA.DOMAIN.TLD


 dns_lookup_realm = false


 dns_lookup_kdc = false


 rdns = false



[realms]


 IPA.DOMAIN.TLD = {


 kdc = freeipa


 admin_server = freeipa


 default_domain = domain.tld


 }



[domain_realm]


 .domain.tld = IPA.DOMAIN.TLD


 domain.tld = IPA.DOMAIN.TLD



NFS客户端

操作系统:Ubuntu 20.04主机名:nfsclient.internal.domain.tldIP:192.444.444.444密钥表:


$ klist -k /etc/krb5.keytab


Keytab name: FILE:/etc/krb5.keytab


KVNO Principal


---- --------------------------------------------------------------------------


 5 host/nfsclient.internal.domain.tld@IPA.DOMAIN.TLD



Mount命令:


$ sudo mount -vvv -t nfs4 -o sec=krb5p 192.111.111.111:/ /mountpoint


mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=192.111.111.111,clientaddr=192.444.444.444'


mount.nfs4: mount(2): Permission denied


mount.nfs4: access denied by server while mounting 192.111.111.111:/



结果

/var/log/krb5kdc.日志:


freeipa krb5kdc[288](info): TGS_REQ (4 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 


DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23)}) 192.444.444.444: LOOKING_UP_SERVER: authtime 0, 


etypes {rep=(0)} host/nfsclient.internal.domain.tld@IPA.DOMAIN.TLD for nfs/containershost.internal.domain.tld@IPA.DOMAIN.TLD, 


Server not found in Kerberos database




答案1:

nfs服务器将它自己的名称解析为containershost.internal.domain.tld,因此,它在keytab文件中查找该名称,您可能应该将容器名称显式设置为nfs.internal.domain.tld(在docker-compose中使用-name选项或host指令),或者将另一个条目添加到keytab文件中。



Server  auth  查找  NFS  Principal  
相关文章