我已按照此处所述配置 NFS&Kerberos:如何在 Red Hat Enterprise Linux 7 上配置 Kerberos NFS 服务器
所有诊断操作都很好,但是当我尝试在客户端安装我的共享时,我收到以下消息:
mount.nfs4: access denied by server while mounting kdc.example.com:/var/backup
服务器和客户端的 IP 都在 /etc/hosts(服务器和客户端机器)中,首先是 IP 之后。我的配置是:
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
/etc/出口:
/var/backup client.example.com(rw,sync,no_wdelay,nohide,no_subtree_check,no_root_squash,sec=krb5)
/mnt/storage client.example.com(rw,sync,no_wdelay,nohide,no_subtree_check,no_root_squash,sec=krb5)
/var/kerberos/krb5kdc:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
kdc_ports = 88
admin_keytab = /etc/kadm5.keytab
database_name = /var/kerberos/krb5kdc/principal
acl_file = /var/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/kerberos/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
krb5kdc 和 kadmin 服务已在服务器上启动并运行。
客户端上的 /etc/fstab:
#NFS area
kdc.example.com:/var/backup /mnt/backup nfs4 rsize=65536,wsize=65536,nolock,hard,sec=krb5
kdc.example.com:/mnt/storage /mnt/storage nfs4 rsize=65536,wsize=65536,nolock,hard,sec=krb5
当我做:
mount -vv -t nfs4 -o sec=krb5 kdc.example.com:/var/backup backup
我收到消息:
mount.nfs4: timeout set for Mon May 22 23:32:59 2017
mount.nfs4: trying text-based options 'sec=krb5,addr=95.85.33.75,clientaddr=192.168.0.2'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting kdc.example.com:/var/backup
首先说明 - 为什么 clientaddr 是 192.168.0.2 而不是在 /etc/hosts 中设置的 client.example.com?无论如何,当我将 clientaddr=client.example.com 添加到 mount 的 -o 选项时,会出现相同的消息。
第二条消息在服务器的 /var/log/krb5kdc.log 中:
CLIENT_NOT_FOUND: NOUSER@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Client not found in Kerberos database
klist -k 在服务器上:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/kdc.example.com@EXAMPLE.COM
3 host/kdc.example.com@EXAMPLE.COM
3 host/kdc.example.com@EXAMPLE.COM
3 nfs/kdc.example.com@EXAMPLE.COM
3 nfs/kdc.example.com@EXAMPLE.COM
3 nfs/kdc.example.com@EXAMPLE.COM
klist -k 在客户端:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/client.example.com@EXAMPLE.COM
2 host/client.example.com@EXAMPLE.COM
2 host/client.example.com@EXAMPLE.COM
2 nfs/client.example.com@EXAMPLE.COM
2 nfs/client.example.com@EXAMPLE.COM
2 nfs/client.example.com@EXAMPLE.COM
kadmin -p 根/管理员:
kadmin: listprincs
K/M@EXAMPLE.COM
edrive@EXAMPLE.COM
host/client.example.com@EXAMPLE.COM
host/kdc.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
nfs/client.example.com@EXAMPLE.COM
nfs/kdc.example.com@EXAMPLE.COM
root/admin@EXAMPLE.COM
那么,问题是什么?为什么我无法挂载 NFS 共享?
我知道它有点旧,但如果您仍在寻找这个,我也遇到过类似的问题并自己找到了解决方案,您可以在我对我的问题的回答“ Fedora 26 NFS + Kerberos \xe2\ x80\x9cPreauthentication failed\xe2\x80\x9d(挂载导致无权限)”,我很确定 RHEL 可以遵循这些设置
\n| 归档时间: |
|
| 查看次数: |
12717 次 |
| 最近记录: |