Witam.

Chciałbym się dowiedzieć, czy komukolwiek udało się poprawnie ustawić NFSa po Kerberosie na Centos7 (aktualnie mam wersję 7.2). Oto co zrobiłem i jaki mam efekt:

2 maszyny:

rhce1.example.local 192.168.56.211 (TEZ KDC)

rhce2.example.local 192.168.56.212 (klient nfs).

Wpisy w hosts na obu maszynach w postaci:

192.168.56.211 rhce1.example.local rhce1
192.168.56.212 rhce2.example.local rhce2.

RHCE1.EXAMPLE.LOCAL:

W pierwszej kolejności ustawiłem KDC.

yum install -y krb5-server krb5-workstation pam_krb5

vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EXAMPLE.LOCAL = {
master_key_type = aes256-cts
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

vim /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.LOCAL = {
kdc = rhce1.example.local
admin_server = rhce1.example.local
}

[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL

vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@EXAMPLE.LOCAL *

Następnie:

kdb5_util create -s -r EXAMPLE.LOCAL

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.LOCAL',
master key name 'K/M@EXAMPLE.LOCAL'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: *****
Re-enter KDC database master key to verify: *****

systemctl enable krb5kdc.service
systemctl start krb5kdc.service
systemctl enable kadmin.service
systemctl start kadmin.service

[root@rhce1 ~]# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2017-02-18 12:05:47 CET; 45min ago
Main PID: 3309 (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─3309 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

Feb 18 12:05:47 rhce1 systemd[1]: Starting Kerberos 5 KDC...
Feb 18 12:05:47 rhce1 systemd[1]: PID file /var/run/krb5kdc.pid not readable (yet?) after start.
Feb 18 12:05:47 rhce1 systemd[1]: Started Kerberos 5 KDC.

[root@rhce1 ~]# systemctl status kadmin.service
● kadmin.service - Kerberos 5 Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2017-02-18 12:06:01 CET; 45min ago
Main PID: 3485 (kadmind)
CGroup: /system.slice/kadmin.service
└─3485 /usr/sbin/kadmind -P /var/run/kadmind.pid

Feb 18 12:06:00 rhce1 systemd[1]: Starting Kerberos 5 Password-changing and Administration...
Feb 18 12:06:01 rhce1 systemd[1]: PID file /var/run/kadmind.pid not readable (yet?) after start.
Feb 18 12:06:01 rhce1 systemd[1]: Started Kerberos 5 Password-changing and Administration.

Wykonałem test dodania usera:

[root@rhce1 ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.LOCAL with password.

kadmin.local: addprinc root/admin
Authenticating as principal root/admin@EXAMPLE.LOCAL with password.
WARNING: no policy specified for root/admin@EXAMPLE.LOCAL; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.LOCAL": ****
Re-enter password for principal "root/admin@EXAMPLE.LOCAL": ****
Principal "root/admin@EXAMPLE.LOCAL" created.

kadmin.local: addprinc user01
Enter password for principal "user01@EXAMPLE.LOCAL": user01
Re-enter password for principal "user01@EXAMPLE.LOCAL": user01
Principal "user01@EXAMPLE.LOCAL" created.

Dodanie hosta:

kadmin.local: addprinc -randkey host/rhce1.EXAMPLE.LOCAL
Authenticating as principal root/admin@EXAMPLE.LOCAL with password.
WARNING: no policy specified for host/rhce1.EXAMPLE.LOCAL@EXAMPLE.LOCAL; defaulting to no policy
Principal "host/rhce1.EXAMPLE.LOCAL@EXAMPLE.LOCAL" created.

kadmin.local: ktadd host/rhce1.EXAMPLE.LOCAL
Authenticating as principal root/admin@EXAMPLE.LOCAL with password.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.EXAMPLE.LOCAL with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Modyfikacja sshd:

vim /etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

systemctl reload sshd.service

 authconfig --enablekrb5 --update

Utworzenie serwisu:

vim /etc/firewalld/services/kerberos.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Kerberos</short>
<description>Kerberos network authentication protocol server</description>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
<port protocol="tcp" port="749"/>
</service>

firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload

useradd user01

[root@rhce1 ~]# su - user01
Last login: Sat Feb 18 10:22:21 CET 2017 from rhce2.example.local on pts/3
[user01@rhce1 ~]$ kinit
Password for user01@EXAMPLE.LOCAL:
[user01@rhce1 ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: user01@EXAMPLE.LOCAL

Valid starting Expires Service principal
02/18/2017 12:59:09 02/19/2017 12:58:56 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL

Wygląda na to, że działa poprawnie:

RHCE2.EXAMPLE.LOCAL

yum install -y krb5-workstation pam_krb5

vim /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
EXAMPLE.LOCAL = {
kdc = rhce1.example.local
admin_server = rhce1.example.local
}

[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL

useradd user01

# kadmin
Authenticating as principal root/admin@EXAMPLE.LOCAL with password.
Password for root/admin@EXAMPLE.LOCAL: kerberos
kadmin: addprinc -randkey host/rhce2.EXAMPLE.LOCAL
WARNING: no policy specified for host/rhce2.EXAMPLE.LOCAL@EXAMPLE.LOCAL; defaulting to no policy
Principal "host/rhce2.EXAMPLE.LOCAL@EXAMPLE.LOCAL" created.

kadmin: list_principals
K/M@EXAMPLE.LOCAL
host/rhce1.example.local@EXAMPLE.LOCAL
host/rhce2.example.local@EXAMPLE.LOCAL
kadmin/admin@EXAMPLE.LOCAL
kadmin/changepw@EXAMPLE.LOCAL
kadmin/rhce1.example.local@EXAMPLE.LOCAL
kiprop/rhce1.example.local@EXAMPLE.LOCAL
krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
nfs/rhce1.example.local@EXAMPLE.LOCAL
root/admin@EXAMPLE.LOCAL
user01@EXAMPLE.LOCAL
user02@EXAMPLE.LOCAL

kadmin: ktadd host/rhce2.example.local
Entry for principal host/rhce2.example.local with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce2.example.local with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

RHCE1.EXAMPLE.LOCAL 

konfiguracja NFS

yum groupinstall -y file-server

firewall-cmd --permanent --add-service=nfs

firewall-cmd --permanent --add-service=mountd

firewall-cmd --permanent --add-service=rpc-bind

 firewall-cmd --reload

# kadmin
Authenticating as principal root/admin@example.local with password.
Password for root/admin@example.local: kerberos
kadmin: addprinc -randkey nfs/rhce1.example.local
WARNING: no policy specified for host/rhce1.example.local@example.local; defaulting to no policy
Principal "host/rhce1.example.local@example.local" created.

kadmin: ktadd nfs/rhce1.example.com
Entry for principal host/rhce1.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/rhce1.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit

mkdir -p /home/guests

chmod 0777 /home/guests

semanage fcontext -a -t public_content_rw_t "/home/guests(/.*)?"

restorecon -R /home/guests

vim /etc/exports

/home/guests rhce2.example.local(rw,no_root_squash,sec=krb5)

[root@rhce1 ~]# exportfs -avr

exporting rhce2.example.local:/home/guests

W momencie w ktorym wywoluje polecenie

[root@rhce1 ~]# systemctl start nfs-secure-server.service
[root@rhce1 ~]# systemctl status nfs-secure-server.service
● rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Sat 2017-02-18 13:22:05 CET; 6s ago
none of the trigger conditions were met

Feb 18 11:15:44 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:04:14 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:30:33 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:33:24 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:36:06 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 13:22:05 rhce1 systemd[1]: Started RPC security service for NFS server.

Nic się nie dizeje, w logach jest tylko taki wpis:

/var/log/messages

Feb 18 13:24:49 rhce1 systemd: Started RPC security service for NFS server.

journactl 

Feb 18 13:24:49 rhce1 polkitd[707]: Registered Authentication Agent for unix-process:5944:493317 (system bus name :1.85 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Feb 18 13:24:49 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 13:24:49 rhce1 polkitd[707]: Unregistered Authentication Agent for unix-process:5944:493317 (system bus name :1.85, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Sama usluga natomiast nie startuje:

[root@rhce1 ~]# systemctl status nfs-secure-server.service
● rpc-svcgssd.service - RPC security service for NFS server
Loaded: loaded (/usr/lib/systemd/system/rpc-svcgssd.service; static; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Sat 2017-02-18 13:22:05 CET; 2min 12s ago
none of the trigger conditions were met

Feb 18 11:15:44 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:04:14 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:30:33 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:33:24 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 12:36:06 rhce1 systemd[1]: Started RPC security service for NFS server.
Feb 18 13:22:05 rhce1 systemd[1]: Started RPC security service for NFS server.

Czy ktoś może mi podpowiedzieć co robię źle?