如果客户端使用客户端 UPN 而不是用户 UPN ,则 NFS 的 Kerberos 身份验证将失败
适用场景
- 采用 Kerberos 的 NFS
- ONTAP 9
问题描述
- 使用挂载卷时
sec=krb5
,挂载将失败,并显示“Access Denied (拒绝访问)”错误。
mount.nfs4: trying text-based options 'sec=krb5,vers=4.0,addr=10.x.x.x,clientaddr=10.x.x.x'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting 10.x.x.x:/test_kerberos
- 客户端系统发送客户端UPN (
host/<client FQDN>@<KERBEROS REALM>)
而不是用户UPN)。 - ONTAP 报告以下错误
node1 ERROR secd.nfsAuth.problem: vserver (vs1) General NFS authorization problem. Error: RPC accept GSS token procedure failed
[ 4 ms] Acquired NFS service credential for logical interface 1061 (SPN='nfs/LIF.domain.com@domain.com').
[ 6] GSS_S_COMPLETE: client = 'host/client1.domain@domain'
[ 6] Trying to map SPN 'host/client1.domain@domain' to UNIX user 'host' using implicit mapping
[ 6] Unix User Name found in Name Service Negative Cache
[ 8] Unable to map SPN 'host/client1.domain@domain'
**[ 8] FAILURE: Unable to map Kerberos NFS user 'host/client1.domain@domain' to appropriate UNIX user
[ 12] Failed to accept the context: The routine completed successfully (minor: Unknown error). Result = 6916
node1 ERROR secd.kerberos.lookupFailed: Unable to map Kerberos user (host/client1.domain@domain) to appropriate UNIX user on Vserver (vs1).