Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

Pages : 1

#1 Le 17/09/2021, à 14:24

cgnix

NFS4 Kerberos et Samba AD

Hello,

Un peu de contexte... Je souhaite intégrer l'authentification kerberos pour mes montagnes NFS, mais avant de passé ça en prod je souhaite voir comment ça fonctionne et tester ça dans un environnement de test.

J'ai donc pour tout mes serveurs :
- ubuntu 20.04 à jour
- samba AD DC 4.14.7

Pour mon infra de test :
- ubn-dc.kr.lan => AD avec un bind9 DLZ
- ubn-srv.kr.lan => Pour le server NFS
- ubn-cli.kr.lan => Pour le client NFS
- Une VM windows pour les RSAT

Mon problème :

J'ai bien fais rejoindre mon sevrer et mon client dans le domaine, mais impossible de monté un partage NFS, j'ai pourtant suivi ce tuto : https://doc.ubuntu-fr.org/tutoriel/samb … kerberized

Les keytab sont ok : 

root@ubn-srv:~# klist -ke]
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/ubn-srv.kr.lan@KR.LAN (aes256-cts-hmac-sha1-96)
   1 host/UBN-SRV@KR.LAN (aes256-cts-hmac-sha1-96)
   1 host/ubn-srv.kr.lan@KR.LAN (aes128-cts-hmac-sha1-96)
   1 host/UBN-SRV@KR.LAN (aes128-cts-hmac-sha1-96)
   1 host/ubn-srv.kr.lan@KR.LAN (arcfour-hmac)
   1 host/UBN-SRV@KR.LAN (arcfour-hmac)
   1 restrictedkrbhost/ubn-srv.kr.lan@KR.LAN (aes256-cts-hmac-sha1-96)
   1 restrictedkrbhost/UBN-SRV@KR.LAN (aes256-cts-hmac-sha1-96)
   1 restrictedkrbhost/ubn-srv.kr.lan@KR.LAN (aes128-cts-hmac-sha1-96)
   1 restrictedkrbhost/UBN-SRV@KR.LAN (aes128-cts-hmac-sha1-96)
   1 restrictedkrbhost/ubn-srv.kr.lan@KR.LAN (arcfour-hmac)
   1 restrictedkrbhost/UBN-SRV@KR.LAN (arcfour-hmac)
   1 UBN-SRV$@KR.LAN (aes256-cts-hmac-sha1-96)
   1 UBN-SRV$@KR.LAN (aes128-cts-hmac-sha1-96)
   1 UBN-SRV$@KR.LAN (arcfour-hmac)
   1 nfs/ubn-srv.kr.lan@KR.LAN (aes256-cts-hmac-sha1-96)
   1 nfs/UBN-SRV@KR.LAN (aes256-cts-hmac-sha1-96)
   1 nfs/ubn-srv.kr.lan@KR.LAN (aes128-cts-hmac-sha1-96)
   1 nfs/UBN-SRV@KR.LAN (aes128-cts-hmac-sha1-96)
   1 nfs/ubn-srv.kr.lan@KR.LAN (arcfour-hmac)
   1 nfs/UBN-SRV@KR.LAN (arcfour-hmac)
root@ubn-cli:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 ubn-cli$@KR.LAN (arcfour-hmac)
   5 ubn-cli$@KR.LAN (aes128-cts-hmac-sha1-96)
   5 ubn-cli$@KR.LAN (aes256-cts-hmac-sha1-96)
   5 UBN-CLI$@KR.LAN (arcfour-hmac)
   5 UBN-CLI$@KR.LAN (aes128-cts-hmac-sha1-96)
   5 UBN-CLI$@KR.LAN (aes256-cts-hmac-sha1-96)
   5 nfs/ubn-cli.krb.lan@KR.LAN (arcfour-hmac)
   5 nfs/ubn-cli.krb.lan@KR.LAN (aes128-cts-hmac-sha1-96)
   5 nfs/ubn-cli.krb.lan@KR.LAN (aes256-cts-hmac-sha1-96)
   5 host/ubn-cli@KR.LAN (arcfour-hmac)
   5 host/ubn-cli@KR.LAN (aes128-cts-hmac-sha1-96)
   5 host/ubn-cli@KR.LAN (aes256-cts-hmac-sha1-96)
   5 host/UBN-CLI@KR.LAN (arcfour-hmac)
   5 host/UBN-CLI@KR.LAN (aes128-cts-hmac-sha1-96)
   5 host/UBN-CLI@KR.LAN (aes256-cts-hmac-sha1-96)
   5 host/ubn-cli.krb.lan@KR.LAN (arcfour-hmac)
   5 host/ubn-cli.krb.lan@KR.LAN (aes128-cts-hmac-sha1-96)
   5 host/ubn-cli.krb.lan@KR.LAN (aes256-cts-hmac-sha1-96)
   5 UBN-CLI.KR.LAN$@KR.LAN (aes256-cts-hmac-sha1-96)
   5 UBN-CLI.KR.LAN$@KR.LAN (aes128-cts-hmac-sha1-96)
   5 UBN-CLI.KR.LAN$@KR.LAN (arcfour-hmac)
   5 nfs/ubn-srv.kr.lan@KR.LAN (aes256-cts-hmac-sha1-96)
   5 nfs/ubn-srv.kr.lan@KR.LAN (aes128-cts-hmac-sha1-96)
   5 nfs/ubn-srv.kr.lan@KR.LAN (arcfour-hmac)

Pour les exports : 

root@ubn-srv:~# cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subt
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         10.4.6.0/24(ro,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
/export/ds1     10.4.6.0/24(rw,sync,no_subtree_check,sec=krb5)

Et mon mount côté client : 

root@ubn-cli:~# mount -vvv -t nfs4 -o sec=krb5 ubn-srv.kr.lan:/export/ds1 /mnt/ds1
mount.nfs4: timeout set for Fri Sep 17 14:17:06 2021
mount.nfs4: trying text-based options 'sec=krb5,vers=4.2,addr=10.4.6.2,clientaddr=10.4.6.3'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting ubn-srv.kr.lan:/export/ds1
le syslog du client, avec rpc.gss -vvv
Sep 17 14:21:38 ubn-cli rpc.gssd[1320]: WARNING: gssd_clnt_gssd_cb: failed reading request
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: #012handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2' (nfs/clntc)
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: krb5_use_machine_creds: uid 0 tgtname (null)
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-srv.kr.lan' is 'ubn-srv.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-cli.kr.lan' is 'ubn-cli.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Success getting keytab entry for 'ubn-cli$@KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: gssd_get_single_krb5_cred: principal 'ubn-cli$@KR.LAN' ccache:'FILE:/tmp/krb5ccmachine_KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating tcp client for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: DEBUG: port already set to 2049
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating context with server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_KR.LAN for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-srv.kr.lan' is 'ubn-srv.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-cli.kr.lan' is 'ubn-cli.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Success getting keytab entry for 'ubn-cli$@KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating tcp client for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: DEBUG: port already set to 2049
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating context with server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_KR.LAN for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: ERROR: Failed to create machine krb5 context with any credentials cache for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: doing error downcall
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: #012handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2' (nfs/clntc)
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: krb5_use_machine_creds: uid 0 tgtname (null)
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-srv.kr.lan' is 'ubn-srv.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-cli.kr.lan' is 'ubn-cli.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Success getting keytab entry for 'ubn-cli$@KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating tcp client for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: DEBUG: port already set to 2049
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating context with server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_KR.LAN for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-srv.kr.lan' is 'ubn-srv.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-cli.kr.lan' is 'ubn-cli.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Success getting keytab entry for 'ubn-cli$@KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating tcp client for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: DEBUG: port already set to 2049
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating context with server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_KR.LAN for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: ERROR: Failed to create machine krb5 context with any credentials cache for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: doing error downcall
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: #012handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2' (nfs/clntc)
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: krb5_use_machine_creds: uid 0 tgtname (null)
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-srv.kr.lan' is 'ubn-srv.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-cli.kr.lan' is 'ubn-cli.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Success getting keytab entry for 'ubn-cli$@KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating tcp client for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: DEBUG: port already set to 2049
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating context with server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_KR.LAN for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Machine cache prematurely expired or corrupted trying to recreate cache for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-srv.kr.lan' is 'ubn-srv.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Full hostname for 'ubn-cli.kr.lan' is 'ubn-cli.kr.lan'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: Success getting keytab entry for 'ubn-cli$@KR.LAN'
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: INFO: Credentials in CC 'FILE:/tmp/krb5ccmachine_KR.LAN' are good until 1631917299
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating tcp client for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: DEBUG: port already set to 2049
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: creating context with server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs@ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: Failed to create machine krb5 context with cred cache FILE:/tmp/krb5ccmachine_KR.LAN for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: ERROR: Failed to create machine krb5 context with any credentials cache for server ubn-srv.kr.lan
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: doing error downcall
Sep 17 14:21:39 ubn-cli rpc.gssd[1320]: WARNING: gssd_clnt_gssd_cb: failed reading request

Naturellement tout le reste est bien setter, une idée ?

Merci d'avance wink

Dernière modification par cgnix (Le 20/09/2021, à 09:40)

Hors ligne

#2 Le 17/09/2021, à 18:34

cqfd93

Re : NFS4 Kerberos et Samba AD

Modération

Bonjour,

Balises quote à remplacer par des balises code.

cqfd93

Hors ligne

#3 Le 20/09/2021, à 09:40

cgnix

Re : NFS4 Kerberos et Samba AD

cqfd93 a écrit :

Modération

Bonjour,

Balises quote à remplacer par des balises code.

Fait wink

Up au passage smile

Hors ligne

Pages : 1