root権限なしでKerberos認証を使用してNFSv4共有フォルダにアクセスする方法

root権限なしでKerberos認証を使用してNFSv4共有フォルダにアクセスする方法

Kerberos認証を使用してNFSv4共有フォルダを設定しています。私が直面した問題は、クライアントコンピュータでユーザーとして実行している場合mount /mnt(下記のfstabの設定を参照)/ mntディレクトリにアクセスできないことです。私はこれがKerberosチケットに対する権限のためだと思います。実際にこれを行うと、ルートに属するチケット1つだけが得られます。

Client = 192.168.1.2とServer = 192.168.1.1の両方がUbuntu 18.04.1を実行しています

コマンドラインは次のとおりです。

user@client:~$ mount -vvv /mnt
mount.nfs4: timeout set for Mon Sep 10 16:55:58 2018
mount.nfs4: trying text-based options 'proto=tcp,port=2049,sec=krb5p,vers=4.2,addr=192.168.1.1,clientaddr=192.168.1.2'

user@client:~$ cd /mnt
bash: cd: /mnt: Permission denied

user@client:~$ ll /tmp/krb5ccmachine_DOMAIN.FR 
-rw------- 1 root root 1628 sept. 10 16:53 /tmp/krb5ccmachine_DOMAIN.FR

user@client:~$ sudo klist -c /tmp/krb5ccmachine_DOMAIN.FR 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 16:53:42  11/09/2018 02:53:42  krbtgt/[email protected]
    renew until 11/09/2018 16:53:42
10/09/2018 16:53:42  11/09/2018 02:53:42  nfs/server.domain.fr@
    renew until 11/09/2018 16:53:42
10/09/2018 16:53:42  11/09/2018 02:53:42  nfs/[email protected]
    renew until 11/09/2018 16:53:42

root@client:~# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 nfs/[email protected]
   3 nfs/[email protected]

ユーザー権限でnfs / client.domain.frを "kinit"してからmountコマンドを実行すると、/ mntディレクトリにアクセスできることがわかりました。

user@client:~$ kinit nfs/client.domain.fr -t Documents/krb5.keytab 
keytab specified, forcing -k
user@client:~$ klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 17:22:59  11/09/2018 03:22:59  krbtgt/[email protected]
    renew until 11/09/2018 17:22:59

user@client:~$ mount /mnt
user@client:~$ cd /mnt
user@client:/mnt$ ll
total 12
drwxrwxrwx  3 root root 4096 sept.  4 10:30 ./
drwxr-xr-x 24 root root 4096 sept.  4 11:09 ../
drwxrwxrwx  2 root root 4096 sept. 10 16:14 media/

user@client:/mnt$ ll /tmp/krb5cc*
-rw------- 1 user user 2037 sept. 10 17:23 /tmp/krb5cc_1000
-rw------- 1 root root 1628 sept. 10 17:23 /tmp/krb5ccmachine_DOMAIN.FR

user@client:/mnt$ sudo klist /tmp/krb5ccmachine_DOMAIN.FR 
[sudo] Mot de passe de user : 
Ticket cache: FILE:/tmp/krb5ccmachine_DOMAIN.FR
Default principal: nfs/[email protected]

Valid starting       Expires              Service principal
10/09/2018 17:23:35  11/09/2018 03:23:35  krbtgt/[email protected]
    renew until 11/09/2018 17:23:35
10/09/2018 17:23:35  11/09/2018 03:23:35  nfs/server.domain.fr@
    renew until 11/09/2018 17:23:35
10/09/2018 17:23:35  11/09/2018 03:23:35  nfs/[email protected]
    renew until 11/09/2018 17:23:35

私の設定ファイル:

クライアントコンピュータの/etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=14d26733-1eb1-4c23-b6eb-7be5564675a6 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
server:/    /mnt    nfs4    proto=tcp,port=2049,sec=krb5p,noauto,user   0   0

サーバーの /etc/fstab:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda1 during installation
UUID=6edf6c8d-be74-4908-91c4-4c7bb453bc76 /               ext4    errors=remount-ro 0       1
/swapfile                                 none            swap    sw              0       0
/home/media /export/media   none    bind    0   0

サーバーの /etc/exports:

# /etc/exports: the access control list for filesystems which may be exported
#       to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         192.168.1.0/24(rw,fsid=0,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)
/export/media   192.168.1.0/24(rw,nohide,insecure,no_subtree_check,sync,sec=krb5p,all_squash,anonuid=1000,anongid=1000)

uid=1000 および gid=1000 のユーザーがクライアントとサーバーに存在します。私もroot_squashオプションを試しました。

クライアントとサーバーの /etc/krb5.conf:

[logging]
    default = FILE:/tmp/krb5libs.log
    kdc = FILE:/tmp/krb5kdc.log
    admin_server = FILE:/tmp/kadmind.log

[libdefaults]
    default_realm = DOMAIN.FR

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true

[realms]
    DOMAIN.FR = {
        kdc = kdc.domain.fr
        admin_server = kerberos.domain.fr
        default_domain = domain.fr
    }

[domain_realm]
    .domain.fr = DOMAIN.FR
    domain.fr = DOMAIN.FR

サーバーの /etc/default/nfs-kernel-server:

# Number of servers to start up
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --debug all"

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD="yes"

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS="-vvv"

クライアントとサーバーの /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".


# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS=

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

クライアントとサーバーの /etc/hosts:

127.0.0.1   localhost

# server
192.168.1.1 server.domain.fr    server
192.168.1.1 domain.fr
# Client
192.168.1.2 client.domain.fr    client

kdcのログ:

sept. 10 16:48:06 server krb5kdc[545](info): setting up network...
krb5kdc: setsockopt(10,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
krb5kdc: setsockopt(14,IPV6_V6ONLY,1) worked
sept. 10 16:48:06 server krb5kdc[545](info): set up 6 sockets
sept. 10 16:48:06 server krb5kdc[572](info): commencing operation
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: NEEDED_PREAUTH: nfs/[email protected] for krbtgt/[email protected], Additional pre-authentication required
sept. 10 16:53:42 server krb5kdc[572](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for krbtgt/[email protected]
sept. 10 16:53:42 server krb5kdc[572](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 192.168.1.2: ISSUE: authtime 1536591222, etypes {rep=18 tkt=18 ses=18}, nfs/[email protected] for nfs/[email protected]

受信したチケットはルートに属するため、共有フォルダをマウントしてクライアントコンピュータのrootユーザーを使用してアクセスすることができます。ユーザー所有のチケットを入手できますか?ユーザーを使用して共有ディレクトリをマウントし、以前にkinitを実行せずにアクセスできるかどうか疑問に思います。

関連情報