我已成功设置 NFS/Keberos,但当经过 Kerberos 身份验证的用户发出写入时遇到权限问题,该写入输出以下内容:
philip@client $: touch /mnt/philip/testfile.txt
touch: cannot touch '/mnt/philip/test': Permission denied
以下是我的完整安装和配置:
mydomain.net
是一个占位符
设置 NFS 服务器
server #: apt-get -y update
server #: apt-get -y install nfs-kernel-server nfs-common
server #: mkdir -p /srv/nfs/philip
server #: cat <<EOF >>/etc/exports
/srv/nfs/philip 192.168.10.0/24(rw,nohide,insecure,no_subtree_check,sync,no_root_squash)
EOF
server #: service nfs-kernel-server restart
设置客户端
client #: apt-get -y update
client #: apt-get -y install nfs-common
client #: mkdir -p /mnt/philip
client #: cat <<EOF >>/etc/fstab
nfs.mydomain.net:/srv/nfs/nfs-001 /mnt/philip nfs defaults 0 0
EOF
client #: mount -a
测试
NFS 共享现在应该安装在/mnt/philip
. 这有效!
Kerberos 设置
服务器
更新/etc/exports
以反映新的 Kerberos 共享:
/srv/nfs/philip 192.168.10.0/24(sec=krb5p,rw,nohide,insecure,no_subtree_check,sync)
注:我no_root_squash
这里删除了。
并导出:
server #: exportfs -ra
server #: showmount -e
现在设置 Kerberos 服务器:
server #: apt install krb5-kdc krb5-admin-server #enter realm in full caps, enter fqdn for hostnames
server #: cat /etc/krb5.conf
[libdefaults]
default_realm = MYDOMAIN.NET
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MYDOMAIN.NET = {
kdc = nfs.mydomain.net
admin_server = nfs.mydomain.net
}
[domain_realm]
继续设置...
server #: krb5_newrealm
server #: vi /etc/krb5kdc/kadm5.acl # uncomment /*admin *
server #: systemctl restart krb5-kdc krb5-admin-server
server #: kadmin.local -q "addprinc admin/[email protected]"
# setup principal for NFS Service on NFS Server
server #: kadmin.local -q "addprinc -randkey nfs/[email protected]"
server #: kadmin.local -q "ktadd -k /etc/krb5.keytab nfs/[email protected]"
设置客户端
仍在服务器上时:
server #: kadmin.local -q "addprinc -randkey nfs/[email protected]"
server #: kadmin.local -q "ktadd -k /etc/krb5.client.keytab nfs/[email protected]"
server #: scp /etc/krb5.client.keytab client:/etc/krb5.keytab
然后在客户端:
client #: apt update
client #: apt install krb5-user
client #: kinit -k -t /etc/krb5.keytab nfs/[email protected]
client #: klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/[email protected]
Valid starting Expires Service principal
11/27/2023 14:49:54 11/28/2023 00:49:54 krbtgt/[email protected]
renew until 11/28/2023 14:49:44
我现在可以使用 Kerberos 身份验证挂载 NFS 共享:
mount -a
注意我nfs.mydomain.net:/srv/nfs/philip /mnt/philip nfs sec=krb5p 0 0
的/etc/fstab
.
如果失败,您可能需要:
systemctl restart rpc-gssd
地位
NFS 现在通过 Kerberos 安装在客户端计算机上
设置 philip 访问 NFS/Keberos 共享
# setup principal for Philip
server #: kadmin.local -q "addprinc -randkey philip/[email protected]"
server #: kadmin.local -q "ktadd -k /etc/krb5.philip.keytab philip/[email protected]"
server #: scp /etc/krb5.philip.keytab client:
然后验证:
philip@client $: kinit -k -t krb5.philip.keytab philip/[email protected]
philip@client $: ls -ls /mnt/philip
total 12
drwxr-xr-x 2 philip philip 4096 Dec 26 07:30 .
drwxr-xr-x 7 root root 4096 Dec 26 09:34 ..
philip@client $: touch /mnt/philip/test
touch: cannot touch '/mnt/philip/test': Permission denied
这是权限:
server #: ls -la /srv/nfs/
total 16
drwxr-xr-x 4 root root 4096 Dec 26 06:35 .
drwxr-xr-x 3 root root 4096 Dec 22 14:35 ..
drwxr-xr-x 2 philip philip 4096 Dec 26 07:30 philip
root 甚至无法写入该目录。
如果我chmod 777 /srv/nfs/philip
那么我可以写,那么这表明我是一个other
用户。
从这往哪儿走?
我感谢任何帮助解决此问题的帮助。