当客户端使用客户端 UPN 而不是用户 UPN 时，NFS 的 Kerberos 身份验证失败

最后更新
另存为PDF

Views:: 57

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

适用于

Kerberized NFS
ONTAP 9

问题描述

使用 sec=krb5 挂载卷时，挂载失败，出现访问被拒绝错误

mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.x.x.x,clientaddr=10.x.x.x' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting 10.x.x.x:/test_kerberos

客户端系统发送客户端 UPN（host/<client FQDN>@<KERBEROS REALM>)而不是用户 UPN
在没有加密的情况下装载相同的卷成功完成，没有任何问题
ONTAP 报告以下错误：

node1 ERROR secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed [ 4 ms] Acquired NFS service credential for logical interface 1061 (SPN='nfs/LIF.domain.com@domain.com'). [ 6] GSS_S_COMPLETE: client = 'host/client1.domain@domain' [ 6] Trying to map SPN 'host/client1.domain@domain' to UNIX user 'host' using implicit mapping [ 6] Unix User Name found in Name Service Negative Cache [ 8] Unable to map SPN 'host/client1.domain@domain' **[ 8] FAILURE: Unable to map Kerberos NFS user 'host/client1.domain@domain' to appropriate UNIX user [ 12] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916 node1 ERROR secd.kerberos.lookupFailed: Unable to map Kerberos user (host/client1.domain@domain) to appropriate UNIX user on Vserver (vs1).