Re: ошибка при монтировании NFSv4 + Kerberos AD Win 2008 R2

Fri, 11 Nov 2011 03:18:04 -0800 

Kerberos вроде работает, но NFS отказывается (((
Включил дебаг на клиенте и сервере, вот что мне клиент говорит, при 
монтировании командой:
ARCHIV ~ # mount -v -t nfs4 -o'sec=krb5' archiv:/archiv-big /mnt
mount.nfs4: timeout set for Fri Nov 11 15:11:53 2011
mount.nfs4: trying text-based options 
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/archiv-big

в daemolog:
Nov 11 15:09:53 archiv rpc.gssd[2213]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt16)
Nov 11 15:09:53 archiv rpc.gssd[2213]: handle_gssd_upcall: 'mech=krb5 uid=0 '
Nov 11 15:09:53 archiv rpc.gssd[2213]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt16)
Nov 11 15:09:53 archiv rpc.gssd[2213]: process_krb5_upcall: service is '<null>'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Full hostname for 'archiv.SAG.local' is 
'archiv.sag.local'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Full hostname for 'archiv.sag.local' is 
'archiv.sag.local'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Key table entry not found while getting 
keytab entry for 'root/[email protected]'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Success getting keytab entry for 
'nfs/[email protected]'
Nov 11 15:09:53 archiv rpc.gssd[2213]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321043604
Nov 11 15:09:53 archiv rpc.gssd[2213]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321043604
Nov 11 15:09:53 archiv rpc.gssd[2213]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL 
as credentials cache for machine creds
Nov 11 15:09:53 archiv rpc.gssd[2213]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 11 15:09:53 archiv rpc.gssd[2213]: creating context using fsuid 0 (save_uid 
0)
Nov 11 15:09:53 archiv rpc.gssd[2213]: creating tcp client for server 
archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: DEBUG: port already set to 2049
Nov 11 15:09:53 archiv rpc.gssd[2213]: creating context with server 
[email protected]
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_create_default()
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_create()
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_create: name is 0x81db118
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_create: gd->name is 0x81df3f8
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_refresh()
Nov 11 15:09:53 archiv rpc.gssd[2213]: struct rpc_gss_sec:
Nov 11 15:09:53 archiv rpc.gssd[2213]:      mechanism_OID: { 1 2 134 72 134 247 
18 1 2 2 }
Nov 11 15:09:53 archiv rpc.gssd[2213]:      qop: 0
Nov 11 15:09:53 archiv rpc.gssd[2213]:      service: 1
Nov 11 15:09:53 archiv rpc.gssd[2213]:      cred: 0x81e27c0
Nov 11 15:09:53 archiv rpc.gssd[2213]:      req_flags: 00000002
Nov 11 15:09:53 archiv rpc.gssd[2213]: rpcsec_gss: gss_init_sec_context: 
(major) Unspecified GSS failure.  Minor code may provide more information - 
(minor) No supported encryption types (config file error?)
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_destroy()
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_destroy_context()
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_destroy: freeing name 0x81df3f8
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_create_default: freeing name 
0x81db118
Nov 11 15:09:53 archiv rpc.gssd[2213]: WARNING: Failed to create krb5 context 
for user with uid 0 for server archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: WARNING: Failed to create machine krb5 
context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server 
archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: WARNING: Machine cache is prematurely 
expired or corrupted trying to recreate cache for server archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: Full hostname for 'archiv.SAG.local' is 
'archiv.sag.local'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Full hostname for 'archiv.sag.local' is 
'archiv.sag.local'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Key table entry not found while getting 
keytab entry for 'root/[email protected]'
Nov 11 15:09:53 archiv rpc.gssd[2213]: Success getting keytab entry for 
'nfs/[email protected]'
Nov 11 15:09:53 archiv rpc.gssd[2213]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321043604
Nov 11 15:09:53 archiv rpc.gssd[2213]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321043604
Nov 11 15:09:53 archiv rpc.gssd[2213]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL 
as credentials cache for machine creds
Nov 11 15:09:53 archiv rpc.gssd[2213]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 11 15:09:53 archiv rpc.gssd[2213]: creating context using fsuid 0 (save_uid 
0)
Nov 11 15:09:53 archiv rpc.gssd[2213]: creating tcp client for server 
archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: DEBUG: port already set to 2049
Nov 11 15:09:53 archiv rpc.gssd[2213]: creating context with server 
[email protected]
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_create_default()
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_create()
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_create: name is 0x81dfa40
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_create: gd->name is 0x81e28f0
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_refresh()
Nov 11 15:09:53 archiv rpc.gssd[2213]: struct rpc_gss_sec:
Nov 11 15:09:53 archiv rpc.gssd[2213]:      mechanism_OID: { 1 2 134 72 134 247 
18 1 2 2 }
Nov 11 15:09:53 archiv rpc.gssd[2213]:      qop: 0
Nov 11 15:09:53 archiv rpc.gssd[2213]:      service: 1
Nov 11 15:09:53 archiv rpc.gssd[2213]:      cred: 0x81dff38
Nov 11 15:09:53 archiv rpc.gssd[2213]:      req_flags: 00000002
Nov 11 15:09:53 archiv rpc.gssd[2213]: rpcsec_gss: gss_init_sec_context: 
(major) Unspecified GSS failure.  Minor code may provide more information - 
(minor) No supported encryption types (config file error?)
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_destroy()
Nov 11 15:09:53 archiv rpc.gssd[2213]: in authgss_destroy_context()
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_destroy: freeing name 0x81e28f0
Nov 11 15:09:53 archiv rpc.gssd[2213]: authgss_create_default: freeing name 
0x81dfa40
Nov 11 15:09:53 archiv rpc.gssd[2213]: WARNING: Failed to create krb5 context 
for user with uid 0 for server archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: WARNING: Failed to create machine krb5 
context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server 
archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: WARNING: Failed to create machine krb5 
context with any credentials cache for server archiv.SAG.local
Nov 11 15:09:53 archiv rpc.gssd[2213]: doing error downcall
Nov 11 15:09:53 archiv rpc.gssd[2213]: destroying client 
/var/lib/nfs/rpc_pipefs/nfs/clnt16

На сколько я понял - основная ошибка - это
Nov 11 15:09:53 archiv rpc.gssd[2213]: rpcsec_gss: gss_init_sec_context: 
(major) Unspecified GSS failure.  Minor code may provide more information - 
(minor) No supported encryption types (config file error?)

Но как ее победить?
Подскажите, пжлст!

Kramarenko A. Maksim  <[email protected]> писал(а) в своём письме Fri, 11 
Nov 2011 11:52:23 +0400:


Тааак... Спасибо. Шифрование победил.
Теперь буду бороться с NFS....
Итого конфиг krb5.conf
ARCHIV ~ # cat /etc/krb5.conf
[libdefaults]

         default_realm = SAG.LOCAL
         default_tkt_enctypes = rc4-hmac
         default_tgs_enctypes = rc4-hmac
         permitted_enctypes = rc4-hmac

[realms]

         SAG.LOCAL = {
                 kdc = dc.sag.local
                 admin_server = dc.sag.local
                 default_domain = SAG.LOCAL
         }

[domain_realm]
         .sag.local = SAG.LOCAL
         sag.local = SAG.LOCAL

Билетик корректно получается:
ARCHIV ~ # kinit -k -t /etc/krb5.keytab nfs/archiv.sag.local
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/[email protected]

Valid starting     Expires            Service principal
11/11/11 11:48:25  11/11/11 21:48:30  krbtgt/[email protected]
         renew until 11/12/11 11:48:25


Dmitry A. Zhiglov <[email protected]> писал(а) в своём письме Thu, 10 
Nov 2011 23:09:40 +0400:


10 ноября 2011 г. 19:30 пользователь Kramarenko A. Maksim
<[email protected]> написал:

Народ, подскажите хоть в какую сторону копать-то?
Устал уже от этого Kerberos (((

Kramarenko A. Maksim  <[email protected]> писал(а) в своём письме Tue, 08
Nov 2011 17:26:57 +0400:


Может будет полезна.
http://osdude.wordpress.com/2011/08/12/authenticating-unixlinux-to-windows-2008r2-part-5-kerberos-encryption-types/

Кроме того, интернет подсказывает, что надо будет пересоздать
пользователя и кейтаб, но можно для начала попробовать без.







--
С Уважением,
Крамаренко Максим Анатольевич.
http://www.k-max.name/


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

Ответить