Como acessar a pasta compartilhada NFSv4 com autenticação Kerberos sem direitos de root

0

Estou configurando uma pasta compartilhada NFSv4 com autenticação Kerberos. O problema que estou enfrentando é que quando o usuário na máquina cliente executa mount /mnt (veja a configuração fstab abaixo) ele não consegue acessar o diretório / mnt. É devido aos direitos sobre o bilhete Kerberos, eu acho. De fato, quando estou fazendo isso, eu só recebo um ticket que pertence ao root.

Cliente = 192.168.1.2 e servidor = 192.168.1.1 ambos estão executando o Ubuntu 18.04.1

Aqui as linhas de comando:

user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied

user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 16:53:42  11/09/2018 02:53:42  krbtgt/[email protected]
    renew until 11/09/2018 16:53:42
10/09/2018 16:53:42  11/09/2018 02:53:42  nfs/server.domain.fr@
    renew until 11/09/2018 16:53:42
10/09/2018 16:53:42  11/09/2018 02:53:42  nfs/[email protected]
    renew until 11/09/2018 16:53:42

root@client:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/[email protected]
   3 nfs/[email protected]

Eu achei que quando eu faço um "kinit" de nfs / client.domain.fr com direitos de usuário e, em seguida, executa o comando mount, posso acessar o diretório / mnt

user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
keytab specified, forcing -k
user@client:~$ klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 17:22:59  11/09/2018 03:22:59  krbtgt/[email protected]
    renew until 11/09/2018 17:22:59

user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx  3 root root 4096 sept.  4 10:30 ./
drwxr-xr-x 24 root root 4096 sept.  4 11:09 ../
drwxrwxrwx  2 root root 4096 sept. 10 16:14 media/

user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
[sudo] Mot de passe de user : 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 17:23:35  11/09/2018 03:23:35  krbtgt/[email protected]
    renew until 11/09/2018 17:23:35
10/09/2018 17:23:35  11/09/2018 03:23:35  nfs/server.domain.fr@
    renew until 11/09/2018 17:23:35
10/09/2018 17:23:35  11/09/2018 03:23:35  nfs/[email protected]
    renew until 11/09/2018 17:23:35

Meus arquivos de configurações:

/ etc / fstab na máquina do cliente

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
server:/    /mnt    nfs4    proto=tcp,port=2049,sec=krb5p,noauto,user   0   0

/ etc / fstab no servidor:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
/home/media /export/media   none    bind    0   0

/ etc / exports no servidor:

# /etc/exports: the access control list for filesystems which may be exported
#       to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media   192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)

O usuário com uid = 1000 e gid = 1000 existe no cliente e no servidor. Eu também tentei com a opção root_squash.

/etc/krb5.conf no cliente e no servidor:

[logging]
    default = FILE:/tmp/krb5libs.log
    kdc = FILE:/tmp/krb5kdc.log
    admin_server = FILE:/tmp/kadmind.log

[libdefaults]
    default_realm = DOMAIN.FR

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    DOMAIN.FR = {
        kdc = kdc.domain.fr
        admin_server = kerberos.domain.fr
        default_domain = domain.fr
    }

[domain_realm]
    .domain.fr = DOMAIN.FR
    domain.fr = DOMAIN.FR

/ etc / default / nfs-kernel-server no servidor:

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"

/ etc / default / nfs-common no cliente e no servidor:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".


# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

/ etc / hosts no cliente e no servidor:

127.0.0.1   localhost

# server
192.168.1.1 server.domain.fr    server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr    client

logs do kdc:

sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for krbtgt/[email protected]
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for nfs/[email protected]

Agora, só consigo montar a pasta compartilhada e acessá-la com o usuário raiz na máquina do cliente, porque o ticket que obtenho pertence ao root. É possível obter um bilhete que pertence ao usuário? Eu gostaria de saber se é possível montar o diretório compartilhado com o usuário e acessá-lo sem fazer o kinit antes.

Se precisar de mais informações ou tiver dúvidas sobre minha configuração, não hesite.

    
por Charles 11.09.2018 / 10:26

0 respostas