NFS Kerberos挂载失败、并且受信任域中的客户端上的访问被拒绝

最后更新
另存为PDF

Views:: 23

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas<a>2009440166</a>

Last Updated:

适用场景

ONTAP 9
NFS Kerberos
受信任域

问题描述

NFS Kerberos挂载失败：

[user1@rhel ~]$ sudo mount -t nfs -o vers=4,sec=krb5p,noexec nfsserver-3.nas.ss.com.in:/vol1/q10 /tmp/q10

mount.nfs: access denied by server while mounting nfsserver-3.nas.ss.com.in:/vol1/q10

NFS客户端属于域BODX.SDS.CS.COM.IN和BOD.SS.COM.IN

[user1@rhel ~]$ realm list
 BODX.SDS.CS.COM.IN
   type: kerberos
  realm-name: BODX.SDS.CS.COM.IN
   domain-name: BODX.SDS.CS.COM.IN
   configured: kerberos-member
   server-software: active-directory
   client-software: sssd
   required-package: oddjob
   required-package: oddjob-mkhomedir
   required-package: sssd
   required-package: adcli
   required-package: samba-common-tools
   login-formats: %U
   login-policy:

NFS Kerberos LIF是在其他域上创建的 "BOD.SS.COM.IN"

::*> nfs kerberos interface show -vserver nfsserver-3 Logical Vserver Interface Address Kerberos SPN -------------- ------------- --------------- -------- ----------------------- clus-sv3 clus-sv3-if1 10.xx.yy.228 enabled nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN clus-sv3 clus-sv3-if2 10.xx.yy.229 enabled nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN

已为受信任域配置名称映射"BODX.SDS.CS.COM.IN"

::*> vserver name-mapping show -vserver nfsserver-3 Vserver: nfsserver-3 Direction: krb-unix Position Hostname IP Address/Mask -------- ---------------- ---------------- 1 - - Pattern: nfs/nfsserver-3.nas.ss.com.in@BOD.SS.COM.IN Replacement: pcuser 2 - - Pattern: (.+)\$@BOD.SS.COM.IN Replacement: root 3 - - Pattern: host/(.+)@BOD.SS.COM.IN Replacement: root 4 - - Pattern: ([^/]+)@BOD.SS.COM.IN Replacement: \1 5 - - Pattern: (.+)\$@BODX.SDS.CS.COM.IN Replacement: root 6 - - Pattern: host/(.+)@BODX.SDS.CS.COM.IN Replacement: root

客户端的数据包跟踪显示：
客户端查询DNS (10.kk.mm.5)以查找NFS服务器主机名(nfsserver-3.nas.ss.com.in)

2081 2023-02-20 14:47:45.680 10.vv.dd.42 10.kk.mm.5 DNS Standard query 0x20b5 A nfsserver-3.nas.ms.com.cn 2083 2023-02-20 14:47:45.680 10.kk.mm.5 10.vv.dd.42 DNS Standard query response 0x20b5 A nfsserver-3.nas.ss.com.in A 10.xx.yy.229 A 10.xx.yy.228

客户端使用客户端的计算机帐户从KDC获取域BODX.SDS.CS.COM.IN的TGT

2182 2023-02-20 14:47:45.692 10.vv.dd.42 10.rr.pp.132 KRB5 40060,88 RHEL$ krbtgt,BODX.SDS.CS.COM.IN AS-REQ 2185 2023-02-20 14:47:45.692 10.rr.pp.132 10.vv.dd.42 KRB5 88,40060 RHEL$ krbtgt,BODX.SDS.CS.COM.IN AS-REP

客户端尝试获取ONTAP NFS服务器SPN (NFS/nfsserver-3.nas.ss.com.in)的TGS、但此操作失败、并且krb5kdc_ERR_S_principal未知

2212 2023-02-20 14:47:45.695 10.vv.dd.42 10.rr.pp.132 KRB5 40062,88 krbtgt,BODX.SDS.CS.COM.IN,nfs,nfsserver-3.nas.ss.com.in TGS-REQ 2214 2023-02-20 14:47:45.695 10.rr.pp.132 10.vv.dd.42 KRB5 88,40062 nfs,nfsserver-3.nas.ss.com.in KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN