自从我更新到 Debian Bullseye,nfs 客户端停止工作:
# mount -vvt nfs4 -o sec=krb5 nfs11:/srv /mnt
mount.nfs4: timeout set for Wed Sep 15 20:25:49 2021
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=x.y.11.63,clientaddr=x.y.11.42'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfs11:/srv
当我在同一系统上安装 5.9 内核(linux-image-5.9.0-0.bpo.5-cloud-amd64)时 - 它可以工作。
我也试过:
- Debian 测试内核(内核 5.14) - 不起作用
- Ubuntu 21.10 Impish(内核 5.13)- 不工作
- Ubuntu 20.04 Focal(内核 5.4)- 有效
如果所有系统都具有相同的 NFS/Kerberos 设置,我的结论是:内核中发生了一些变化,不允许挂载 NFS/Kerberos 共享。
- 我的 KDC - Samba4 AD
- 我的 Kerberos 和 NFS 设置是非常标准的,就像在任何方法中一样
- HOSTNAME$@REALM nfs/fqdn@REALM host/... 原则在客户端和服务器键选项卡中有
我放入RPCGSSDOPTS="-vvv"/etc/default/nfs-common 进行调试。在以下日志中:
- nfs11 - 我的测试 nfs 服务器(Debian 11,内核 5.10)
- tst2 - 我的测试 nfs 客户端(Debian 11)
这是客户端尝试挂载 nfs 共享时的系统日志:
使用 5.9 内核启动的 nfs 客户端(安装成功)
rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2' (nfs/clnt0)
rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[446]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[446]: gssd_get_single_krb5_cred: principal 'tst2$@MY.DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN'
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: creating tcp client for server nfs11.my.domain
rpc.gssd[446]: DEBUG: port already set to 2049
rpc.gssd[446]: creating context with server nfs@nfs11.my.domain
rpc.gssd[446]: doing downcall: lifetime_rec=36000 acceptor=nfs@nfs11.my.domain
rpc.gssd[446]: #012handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2' (nfs/clnt0)
rpc.gssd[446]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[446]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[446]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[446]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631755378
rpc.gssd[446]: creating tcp client for server nfs11.my.domain
rpc.gssd[446]: DEBUG: port already set to 2049
rpc.gssd[446]: creating context with server nfs@nfs11.my.domain
rpc.gssd[446]: doing downcall: lifetime_rec=36000 acceptor=nfs@nfs11.my.domain
nfsidmap[524]: key: 0x3b88d120 type: uid value: root@my.domain timeout 600
nfsidmap[524]: nfs4_name_to_uid: calling nsswitch->name_to_uid
nfsidmap[524]: nss_getpwnam: name 'root@my.domain' domain 'my.domain': resulting localname 'root'
nfsidmap[524]: nfs4_name_to_uid: nsswitch->name_to_uid returned 0
nfsidmap[524]: nfs4_name_to_uid: final return value is 0
nfsidmap[525]: key: 0x317cb571 type: gid value: root@my.domain timeout 600
nfsidmap[525]: nfs4_name_to_gid: calling nsswitch->name_to_gid
nfsidmap[525]: nfs4_name_to_gid: nsswitch->name_to_gid returned 0
nfsidmap[525]: nfs4_name_to_gid: final return value is 0
使用 5.10 内核启动的 nfs 客户端(不挂载)
rpc.gssd[450]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,3,1,2' (nfs/clnt3)
rpc.gssd[450]: krb5_use_machine_creds: uid 0 tgtname (null)
rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[450]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[450]: gssd_get_single_krb5_cred: principal 'tst2$@MY.DOMAIN' ccache:'FILE:/tmp/krb5ccmachine_MY.DOMAIN'
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server nfs11.my.domain
rpc.gssd[450]: Full hostname for 'nfs11.my.domain' is 'nfs11.my.domain'
rpc.gssd[450]: Full hostname for 'tst2.my.domain' is 'tst2.my.domain'
rpc.gssd[450]: Success getting keytab entry for 'tst2$@MY.DOMAIN'
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631656676
rpc.gssd[450]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_MY.DOMAIN' are good until 1631629984
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: creating tcp client for server nfs11.my.domain
rpc.gssd[450]: DEBUG: port already set to 2049
rpc.gssd[450]: creating context with server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@nfs11.my.domain
rpc.gssd[450]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_MY.DOMAIN for server nfs11.my.domain
rpc.gssd[450]: ERROR: Failed to create machine krb5 context with any credentials cache for server nfs11.my.domain
rpc.gssd[450]: doing error downcall
我用谷歌搜索了很多,没有找到任何相关的东西......目前作为一种解决方法,我在所有 nfs 客户端系统中运行以前版本的反向移植内核。但我认为它很危险,而且有些东西告诉我它随时可能破裂。
有没有人遇到过这样的问题?也许我应该调整一些东西以匹配内核的变化?也许我应该填补内核错误?
更新。添加了 KDC 日志。
使用 5.9 内核从客户端挂载时 KDC - 成功
[2021/09/21 21:55:12.061264, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2021/09/21 21:55:44.743415, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:38701 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/21 21:55:44.747105, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 150, 149
[2021/09/21 21:55:44.747154, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.747178, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.747209, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.751030, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:50506 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/21 21:55:44.753959, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2021/09/21 21:55:44.754060, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.754114, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/21 21:55:44.754187, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- tst2$@MY.DOMAIN using arcfour-hmac-md5
[2021/09/21 21:55:44.754275, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[tst2$@MY.DOMAIN] at [Tue, 21 Sep 2021 21:55:44.754261 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:50506] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6619]. local host [NULL]
{"timestamp": "2021-09-21T21:55:44.754359+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "dd24014b273cc7a8", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:50506", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "tst2$@MY.DOMAIN", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6619", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3366}}
[2021/09/21 21:55:44.761108, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2021-09-21T21:55:44 starttime: unset endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44
[2021/09/21 21:55:44.761282, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
[2021/09/21 21:55:44.761368, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, forwardable
[2021/09/21 21:55:44.767382, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:39570 for nfs/nfs11.my.domain@MY.DOMAIN [canonicalize, renewable, forwardable]
[2021/09/21 21:55:44.773999, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2021-09-21T21:55:44 starttime: 2021-09-21T21:55:44 endtime: 2021-09-22T07:55:44 renew till: 2021-09-22T21:55:44
[2021/09/21 21:55:44.774695, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
使用 5.10 内核从客户端挂载时 KDC - 挂载失败
[2021/09/22 00:31:39.893723, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:46094 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/22 00:31:39.899112, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 150, 149
[2021/09/22 00:31:39.899162, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.899186, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.899221, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.901942, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:39303 for krbtgt/MY.DOMAIN@MY.DOMAIN
[2021/09/22 00:31:39.905030, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 150, 149
[2021/09/22 00:31:39.905080, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.905105, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- tst2$@MY.DOMAIN
[2021/09/22 00:31:39.905171, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- tst2$@MY.DOMAIN using arcfour-hmac-md5
[2021/09/22 00:31:39.905270, 3] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[tst2$@MY.DOMAIN] at [Wed, 22 Sep 2021 00:31:39.905248 +06] with [arcfour-hmac-md5] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:x.y.11.42:39303] became [MYDOM]\[tst2$] [S-1-5-21-3408476796-3867293677-901807371-6621]. local host [NULL]
{"timestamp": "2021-09-22T00:31:39.905331+0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "8511280d720bd92c", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:x.y.11.42:39303", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "tst2$@MY.DOMAIN", "workstation": null, "becameAccount": "tst2$", "becameDomain": "MYDOM", "becameSid": "S-1-5-21-3408476796-3867293677-901807371-6621", "mappedAccount": "tst2$", "mappedDomain": "MYDOM", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "arcfour-hmac-md5", "duration": 3429}}
[2021/09/22 00:31:39.912509, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2021-09-22T00:31:39 starttime: unset endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39
[2021/09/22 00:31:39.912597, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/arcfour-hmac-md5
[2021/09/22 00:31:39.912663, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable-ok, forwardable
[2021/09/22 00:31:39.918313, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:59850 for nfs/nfs11.my.domain@MY.DOMAIN [canonicalize, renewable, forwardable]
[2021/09/22 00:31:39.924869, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2021-09-22T00:31:39 starttime: 2021-09-22T00:31:39 endtime: 2021-09-22T10:31:39 renew till: 2021-09-23T00:31:39
[2021/09/22 00:31:39.925340, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2021/09/22 00:31:39.928319, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ tst2$@MY.DOMAIN from ipv4:x.y.11.42:59852 for nfs/nfs11.my.domain@MY.DOMAIN [renewable, forwardable]
[2021/09/22 00:31:39.930936, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Server (nfs/nfs11.my.domain@MY.DOMAIN) has no support for etypes
[2021/09/22 00:31:39.930998, 3] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed building TGS-REP to ipv4:x.y.11.42:59852
[2021/09/22 00:31:39.931336, 3] ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
stream_terminate_connection: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
我看到Server (nfs/nfs11.my.domain@MY.DOMAIN) has no support for etypes错误。谷歌发现一个与旧 enctypes 相关的旧问题,没有任何用处。所有软件包都是最新的。
感谢评论,我取得了一些进展。我安装了新的 Samba DC,将客户端(5.10 内核)和服务器都加入了新的 KDC - 它工作正常!新的 KDC 允许具有任何内核的 NFS 客户端挂载共享。似乎问题出在我的生产 Samba DC 中。我查看了 ldap 数据库,看起来它们很相似,除了在新的 dc 上添加了很少的内容,比如 3 个新对象和一些字段。目前我不知道我应该在生产 DC 中进行哪些调整以使其表现得像新的一样。重新安装将是最后的手段,因为它需要很多时间。
生产 DC 是很久以前创建的,并且使用标准 samba 复制或备份进行了多次迁移。生产和新鲜的 DC 信息:
- oEInformation:由 SAMBA 4.1.6-Ubuntu 提供
- oEInformation:由 SAMBA 4.13.5-Debian 提供
目前,DC 在相同的 Debian 操作系统下运行。
更新 2. 解决了!
请参阅下面的解决方案。