我想用 autofs 挂载一个 samba 共享。
srv.xxxxxxx.net 是 samba 服务器(proxmox 容器,Debian 10)
ldap2.xxxxxxx.net 是 openldap(proxmox 容器,Debian 10)
gui.xxxxxxx.net 是客户端(proxmox vm,Ubuntu 18.04)
Samba 以独立模式运行(无活动目录)
共享为 /srv/test
ls -l /srv/
drwxrwxrwx 2 test05 Domain Users 4096 Feb 8 11:41 test
autofs 配置保存在 openldap 中
dn: cn=test,ou=auto.mnt,ou=automount,ou=services,dc=lan,dc=xxxxxxx,dc=net
cn: test
objectClass: automount
objectClass: top
description: /srv/test on Samba
automountInformation: -fstype=cifs,multiuser,user=${USER},cruid=test05,sec=krb5 ://srv.xxxxxxx.net/test
/etc/autofs_ldap_auth.conf
<?xml version="1.0" ?>
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="host/gui.xxxxxxx.net"
/>
启动服务 autofs 时,会创建挂载点
ls -lisa /mnt
insgesamt 4
22776 0 drwxr-xr-x 4 root root 0 mars 2 15:25 .
2 4 drwxr-xr-x 25 root root 4096 mars 2 10:02 ..
22778 0 dr-xr-xr-x 2 root root 0 mars 2 15:25 exchange
22777 0 dr-xr-xr-x 2 root root 0 mars 2 15:25 test <---- created by autofs
但是当用户尝试 cd 进入测试目录时,他得到一个错误
test05@gui:/mnt$ cd test
bash: cd: test: File or directory not found (translated from german)
在自动挂载日志中,我发现了这条消息
cifs.upcall: get_tgt_time: unable to get principal
我认为这是我的问题,但我不知道如何解决。
当我将我的日志与我在 google 上找到的其他日志进行比较时,我发现 ccache 类型有所不同。
在我的日志中
cifs.upcall: get_cachename_from_process_env: pathname=/proc/2239/environ
cifs.upcall: get_cachename_from_process_env: cachename = MEMORY:_autofstkt
cifs.upcall: get_existing_cc: default ccache is MEMORY:_autofstkt
在所有其他日志中,我发现类似
cifs.upcall: get_cachename_from_process_env: pathname=/proc/1234/environ
cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_12345678
这是我的配置错误吗?
NSS 和 kerberos 身份验证似乎有效:
klist
Ticket cache: FILE:/tmp/krb5cc_10105_YxoDWF
Default principal: [email protected]
id test05
uid=10105(test05) gid=512(Domain Admins) Gruppen=512(Domain Admins)
ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
dn:uid=test05,ou=users,dc=lan,dc=xxxxxxx,dc=net
自动挂载日志
Mar 2 16:01:28 gui automount[808]: handle_packet: type = 3
Mar 2 16:01:28 gui automount[808]: handle_packet_missing_indirect: token 9, name test, request pid 1753
Mar 2 16:01:28 gui automount[808]: attempting to mount entry /mnt/test
Mar 2 16:01:28 gui automount[808]: parse_mount: parse(sun): expanded entry: -fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5 ://srv.xxxxxxx.net/test
Mar 2 16:01:28 gui automount[808]: parse_mount: parse(sun): gathered options: fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5
Mar 2 16:01:28 gui automount[808]: parse_mount: parse(sun): dequote("://srv.xxxxxxx.net/test") -> ://srv.xxxxxxx.net/test
Mar 2 16:01:28 gui automount[808]: parse_mount: parse(sun): core of entry: options=fstype=cifs,multiuser,user=test05,cruid=test05,sec=krb5, loc=://srv.xxxxxxx.net/test
Mar 2 16:01:28 gui automount[808]: sun_mount: parse(sun): mounting root /mnt, mountpoint test, what //srv.xxxxxxx.net/test, fstype cifs, options multiuser,user=test05,cruid=test05,sec=krb5
Mar 2 16:01:28 gui automount[808]: do_mount: //srv.xxxxxxx.net/test /mnt/test type cifs options multiuser,user=test05,cruid=test05,sec=krb5 using module generic
Mar 2 16:01:28 gui automount[808]: mount_mount: mount(generic): calling mkdir_path /mnt/test
Mar 2 16:01:28 gui automount[808]: mount_mount: mount(generic): calling mount -t cifs -o multiuser,user=test05,cruid=test05,sec=krb5 //srv.xxxxxxx.net/test /mnt/test
Mar 2 16:01:28 gui kernel: [ 2177.233113] CIFS: Attempting to mount //srv.xxxxxxx.net/test
Mar 2 16:01:28 gui kernel: [ 2177.233133] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
Mar 2 16:01:28 gui cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv.xxxxxxx.net;ip4=192.168.1.121;sec=krb5;uid=0x0;creduid=0x2779;user=test05;pid=0x8bf
Mar 2 16:01:28 gui cifs.upcall: ver=2
Mar 2 16:01:28 gui cifs.upcall: host=srv.xxxxxxx.net
Mar 2 16:01:28 gui cifs.upcall: ip=192.168.1.121
Mar 2 16:01:28 gui cifs.upcall: sec=1
Mar 2 16:01:28 gui cifs.upcall: uid=0
Mar 2 16:01:28 gui cifs.upcall: creduid=10105
Mar 2 16:01:28 gui cifs.upcall: user=test05
Mar 2 16:01:28 gui cifs.upcall: pid=2239
Mar 2 16:01:28 gui cifs.upcall: get_cachename_from_process_env: pathname=/proc/2239/environ
Mar 2 16:01:28 gui cifs.upcall: get_cachename_from_process_env: cachename = MEMORY:_autofstkt
Mar 2 16:01:28 gui cifs.upcall: get_existing_cc: default ccache is MEMORY:_autofstkt
Mar 2 16:01:28 gui kernel: [ 2177.243918] CIFS VFS: Send error in SessSetup = -126
Mar 2 16:01:28 gui kernel: [ 2177.243931] CIFS VFS: cifs_mount failed w/return code = -2
Mar 2 16:01:28 gui cifs.upcall: get_tgt_time: unable to get principal
Mar 2 16:01:28 gui cifs.upcall: krb5_get_init_creds_keytab: -1765328174
Mar 2 16:01:28 gui cifs.upcall: Exit status 1
Mar 2 16:01:28 gui automount[808]: >> mount error(2): No such file or directory
Mar 2 16:01:28 gui automount[808]: >> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Mar 2 16:01:28 gui automount[808]: mount(generic): failed to mount //srv.xxxxxxx.net/test (type cifs) on /mnt/test
Mar 2 16:01:28 gui automount[808]: dev_ioctl_send_fail: token = 9
Mar 2 16:01:28 gui automount[808]: failed to mount /mnt/test
Mar 2 16:01:28 gui automount[808]: handle_packet: type = 3
Mar 2 16:01:28 gui automount[808]: handle_packet_missing_indirect: token 10, name test, request pid 1753
Mar 2 16:01:28 gui automount[808]: dev_ioctl_send_fail: token = 10
sssd日志
==> /var/log/sssd/sssd_nss.log <==
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 10105
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #257: New request 'User by ID'
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #257: Performing a multi-domain search
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #257: Search will check the cache and check the data provider
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #257: Using domain [xxxxxxx.net]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #257: Looking up UID:[email protected]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #257: Checking negative cache for [UID:[email protected]]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #257: [UID:[email protected]] is not present in negative cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #257: Looking up [UID:[email protected]] in cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #257: Returning [UID:[email protected]] from cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #257: Filtering out results by negative cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #257: Found 1 entries in domain xxxxxxx.net
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #257: Finished: Success
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 512
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_send] (0x0400): CR #258: New request 'Group by ID'
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #258: Performing a multi-domain search
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #258: Search will check the cache and check the data provider
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #258: Using domain [xxxxxxx.net]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #258: Looking up GID:[email protected]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #258: Checking negative cache for [GID:[email protected]]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #258: [GID:[email protected]] is not present in negative cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #258: Looking up [GID:[email protected]] in cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sysdb_get_user_members_recursively] (0x0400): No such entry
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_send] (0x0400): CR #258: Object found, but needs to be refreshed.
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #258: Performing midpoint cache update of [GID:[email protected]]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x558d3052be70:2:[email protected]]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [xxxxxxx.net][0x2][BE_REQ_GROUP][idnumber=512:-]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x558d3052be70:2:[email protected]]
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #258: Filtering out results by negative cache
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #258: Found 1 entries in domain xxxxxxx.net
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [cache_req_done] (0x0400): CR #258: Finished: Success
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [nss_protocol_fill_members] (0x0400): Group [Domain Admins] member [[email protected]] filtered out! (negative cache)
==> /var/log/sssd/sssd_xxxxxxx.net.log <==
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_get_account_info_handler] (0x0200): Got request for [0x2][BE_REQ_GROUP][idnumber=512]
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): DP Request [Account #34]: New request. Flags [0x0001].
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=lan,dc=xxxxxxx,dc=net]
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=512)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=lan,dc=xxxxxxx,dc=net].
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_process_missing_member_2307] (0x0400): Adding a ghost entry
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_get_primary_name] (0x0400): Processing object Domain Admins
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_save_group] (0x0400): Processing group Domain [email protected]
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_process_ghost_members] (0x0400): Group has 1 members
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [sdap_save_group] (0x0400): Storing info for group Domain [email protected]
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_done] (0x0400): DP Request [Account #34]: Request handler finished [0]: Erfolg
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [_dp_req_recv] (0x0400): DP Request [Account #34]: Receiving request data.
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #34]: Finished. Success.
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:2::xxxxxxx.net:idnumber=512] from reply table
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): DP Request [Account #34]: Request removed.
(Mon Mar 2 16:01:28 2020) [sssd[be[xxxxxxx.net]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
==> /var/log/sssd/sssd_nss.log <==
(Mon Mar 2 16:01:28 2020) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x558d3052be70:2:[email protected]]
ldap 日志
Mar 2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SRCH base="dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(gidNumber=512)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Mar 2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
Mar 2 15:01:28 ldap2 slapd[359]: conn=1234 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 fd=25 ACCEPT from IP=192.168.1.130:48108 (IP=0.0.0.0:389)
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=0 BIND dn="" method=163
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=1 BIND dn="" method=163
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=1 RESULT tag=97 err=14 text=SASL(0): successful result:
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND dn="" method=163
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND authcid="host/[email protected]" authzid="host/[email protected]"
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 BIND dn="cn=gui,ou=hosts,ou=sssd,ou=services,dc=lan,dc=xxxxxxx,dc=net" mech=GSSAPI sasl_ssf=0 ssf=0
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=2 RESULT tag=97 err=0 text=
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SRCH base="ou=auto.mnt,ou=automount,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(objectClass=automount)(|(cn=test)(cn=/)(cn=\2A)))"
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SRCH attr=cn automountInformation
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 op=4 UNBIND
Mar 2 15:01:28 ldap2 slapd[359]: conn=1237 fd=25 closed
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SRCH base="cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))"
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=640 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SRCH base="cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/[email protected]))"
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbPrincipalAuthInd krbExtraData krbObjectReferences krbAllowedToDelegateTo krbPwdHistory
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=641 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SRCH base="cn=user,cn=XXXXXXX.NET,cn=krb5,ou=services,dc=lan,dc=xxxxxxx,dc=net" scope=0 deref=0 filter="(objectClass=krbPwdPolicy)"
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SRCH attr=cn krbmaxpwdlife krbminpwdlife krbpwdmindiffchars krbpwdminlength krbpwdhistorylength krbpwdmaxfailure krbpwdfailurecountinterval krbpwdlockoutduration krbpwdattributes krbpwdmaxlife krbpwdmaxrenewablelife krbpwdallowedkeysalts
Mar 2 15:01:28 ldap2 slapd[359]: conn=1141 op=642 SEARCH RESULT tag=101 err=0 nentries=1 text=
感谢您花时间查看我的问题
编辑:
/etc/krb5.conf(每台主机都一样)
[libdefaults]
default_realm = XXXXXXX.NET
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
XXXXXXX.NET = {
kdc = kerb.xxxxxxx.net
admin_server = kerb.xxxxxxx.net
}
[domain_realm]
.xxxxxxx.net = XXXXXXX.NET
xxxxxxx.net = XXXXXXX.NET
[logging]
default = FILE:/var/log/krb5.log