メインコンテンツまでスキップ

NFS Kerberosマウントが失敗し、信頼できるドメイン内のクライアントでアクセスが拒否されます

Views:
2
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2009440166</a>
Last Updated:

環境

  • ONTAP 9
  • NFS Kerberos
  • 信頼できるドメイン

問題

  • NFS Kerberosマウントの失敗:
[user1@rhel ~]$ sudo mount -t nfs -o vers=4,sec=krb5p,noexec nfsserver-3.nas.ss.com.in:/vol1/q10 /tmp/q10
mount.nfs: access denied by server while mounting nfsserver-3.nas.ss.com.in:/vol1/q10
 
  • NFSクライアントは、Realm BODX.SDS.CS.COM.INおよびBOD.SS.COM.INの一部です
[user1@rhel ~]$ realm list
BODX.SDS.CS.COM.IN
  type: kerberos
 realm-name: BODX.SDS.CS.COM.IN
  domain-name: BODX.SDS.CS.COM.IN
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy:
 
  • NFS Kerberos LIFが別のドメインに作成されている  "BOD.SS.COM.IN"

::*> nfs kerberos interface show -vserver nfsserver-3
        Logical
Vserver     Interface    Address      Kerberos SPN
-------------- ------------- --------------- -------- -----------------------
clus-sv3   clus-sv3-if1 
               10.xx.yy.228   enabled  nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN
clus-sv3   clus-sv3-if2 
               10.xx.yy.229   enabled  nfs/clus-sv3.nas.ss.com.in@BOD.SS.COM.IN 

  • 信頼できるドメイン用にネームマッピングが設定されています"BODX.SDS.CS.COM.IN"

::*> vserver name-mapping show -vserver nfsserver-3
Vserver:   nfsserver-3
Direction: krb-unix
Position Hostname      IP Address/Mask
-------- ---------------- ----------------
1     -          -           Pattern: nfs/nfsserver-3.nas.ss.com.in@BOD.SS.COM.IN
                      Replacement: pcuser
2     -          -           Pattern: (.+)\$@BOD.SS.COM.IN
                      Replacement: root
3     -          -           Pattern: host/(.+)@BOD.SS.COM.IN
                      Replacement: root
4     -          -           Pattern: ([^/]+)@BOD.SS.COM.IN
                      Replacement: \1
5     -          -           Pattern: (.+)\$@BODX.SDS.CS.COM.IN
                      Replacement: root
6     -          -           Pattern: host/(.+)@BODX.SDS.CS.COM.IN
                      Replacement: root

  • クライアントからのパケットトレースには次が表示されます    
  • クライアントがDNS(10.kk.mm.5)にNFSサーバのホスト名(nfsserver-3.nas.ss.com.in)を照会                

2081 2023-02-20 14:47:45.680 10.vv.dd.42 10.kk.mm.5     DNS    Standard query 0x20b5 A nfsserver-3.nas.ms.com.cn
2083 2023-02-20 14:47:45.680 10.kk.mm.5  10.vv.dd.42     DNS    Standard query response 0x20b5 A nfsserver-3.nas.ss.com.in A 10.xx.yy.229 A 10.xx.yy.228

  • クライアントは、KDCからドメインBODX.SDS.CS.COM.INのクライアントマシンアカウントを使用してTGTを取得します

2182 2023-02-20 14:47:45.692 10.vv.dd.42  10.rr.pp.132 KRB5  40060,88 RHEL$ krbtgt,BODX.SDS.CS.COM.IN   AS-REQ
2185 2023-02-20 14:47:45.692 10.rr.pp.132 10.vv.dd.42  KRB5  88,40060 RHEL$ krbtgt,BODX.SDS.CS.COM.IN   AS-REP
 

  • クライアントがONTAP NFSサーバSPN(NFS/ nfsserver-3.nas.ss.com.in)のTGSを取得しようとしましたが、krb5kdc_ERR_S_PRINCIPAL_UNKNOWNで失敗します

2212 2023-02-20 14:47:45.695 10.vv.dd.42  10.rr.pp.132 KRB5 40062,88  krbtgt,BODX.SDS.CS.COM.IN,nfs,nfsserver-3.nas.ss.com.in    TGS-REQ
2214 2023-02-20 14:47:45.695 10.rr.pp.132 10.vv.dd.42  KRB5 88,40062  nfs,nfsserver-3.nas.ss.com.in KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.