Hallo,
ich möchte NFS4 mit Kerberos gegen einen Samba AD DC authentifizieren.
Die exportierten Verzeichnisses lassen sich jedoch nicht auf einem Client einhängen (auch nicht auf dem Server direkt).
Zunächst habe ich die Service Principals auf dem DC für den NFS Server und den NFS Client erstellt.
Code:
# samba-tool spn add nfs/SERVER.xxx.net SERVER$
# samba-tool spn add nfs/CLIENT.xxx.net CLIENT$
und dann die neuen Keytabs auf die Rechner gezogen:
Code:
KRB5_KTNAME=FILE:/etc/krb5.keytab net ads keytab CREATE -P
Auf dem Server und auf dem Client sind die neuen NFS Einträge in der Keytab vorhanden:
Code:
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 SERVER$@XXX.NET
...
4 nfs/SERVER@XXX.NET
4 nfs/SERVER@XXX.NET
...
Auf dem Server:
Code:
# cat /etc/exports
/home/daten-nfs-ad *(sec=krb5,rw,sync,fsid=0,crossmnt,no_subtree_check,root_squash)
/home/daten-nfs-ad/users *(sec=krb5,rw,sync,no_subtree_check,root_squash)
Code:
# cat /etc/default/nfs-kernel-server
# Number of servers to start up
RPCNFSDCOUNT=8
# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"
#RPCMOUNTDOPTS="--manage-gids -N 2 -N 3"
#RPCNFSDOPTS="-N 2 -N 3"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="Yes"
# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv -rrr"
Code:
cat /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if it differs from FQDN minus hostname
#Domain = XXX.net
#Local-Realms = XY
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
GSS-Method = static,msswitch
Auf dem Client:
Code:
# cat /etc/default/nfs-common
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD="Yes"
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD="Yes"
Auf Server und Client identisch:
Code:
# cat /etc/krb5.conf
[libdefaults]
default_realm = XXX.NET
# allow_weak_crypto = True
# Require strong encryption (optional)
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96
fcc-mit-ticketflags = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
XXX.NET = {
kdc = dc1.xxx.net
default_domain = xxx.net
admin_server = dc1.xxx.net
}
Der Versuch das Verzeichnis einzuhängen bricht mit "Access denied by Server" ab:
Code:
mount -t nfs4 -o sec=krb5 SERVER:/ /mnt/nfs/ -v
mount.nfs4: timeout set for Thu Oct 10 19:00:31 2019
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=fd00:100:76:67::1,clientaddr=fd00:100:76:67::230'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=2003:ddd:bf10:b00:5054:ddd:ddd:ddd,clientaddr=2003:ddd:bf10:b00:216:fff:fff:fff'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=10.0.1.51,clientaddr=10.0.1.230'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting SERVER:/
Grundsätzlich funktioniert Kerberos SSO.
Bei
wird der user ohne Passwortabfrage eingeloggt. Alle anderen Services des Samba AD DC laufen fehlerfrei (SMB, DNS). Daher habe ich den Fehler bislang nicht hier gesucht.
Was mir noch aufgefallen ist, dass dasMaschinen Ticket den nfs/ Eintrag nicht enhält.
Code:
# ls /tmp/
krb5cc_1414001111 krb5ccmachine_XXX.NET
# klist /tmp/krb5ccmachine_XXX.NET
Ticket cache: FILE:/tmp/krb5ccmachine_XXX.NET
Default principal: Client$@XXX.NET
Valid starting Expires Service principal
10.10.2019 18:58:29 11.10.2019 04:58:29 krbtgt/XXX.NET@XXX.NET
renew until 11.10.2019 18:58:28
Auf dem Server existiert überhautp kein Maschinen Ticket?
Ich habe die Hostnamen und IPv6 Adressen etwas verfäscht, da diese teilweise öffentlich erreichbar sind.
Was übersehe ich?
HG
craano
Zitieren
Lesezeichen