rhel6, nfs4, kerberos a nefunkcni mount (delsi)

[Zdenek Kaminski]

Ahoj,

 pokousim se rozbehnout mezi dvema rhel6.1 kerberizovane nfsv4. Postupuji
podle jiste znameho navodu na abclinuxu.cz
(http://www.abclinuxu.cz/clanky/bezpecnost/kerberos-a-sso-sdileni-souboru-nfs4#konfigurace-kerbera).

 Mam tri stroje:

kdc0, ktery slouzi jako kerberos a ldap server
knfs1, ktery slouzi jak ssh server a nfs server
kcln0, coz je klientska stanice.

Konfiguraci kerbera na kdc0, kcln0 i knfs1 mam podle me spravne,
autentizacni mechanismus take. Po prihlaseni (z konzole) jako non-root
uzivatel zdenek_kaminski na kcln0 dostanu TGT, ktere je forwardovatelne
(overim snadno pomoci klist -f) a mohu se bez hesla prihlasit pres ssh na
knfs1. Uzivatel zdenek_kaminski je v LDAPu, nevyskytuje se nikde v
/etc/passwd. Na vsech trech strojich vidim pres getent passwd a getent
group to, co videt mam. LDAP vsak s mym nasledne uvedenym problem podle me
nesouvisi.

Zkousim tedy dale jakou uzivatel zdenek_kaminski primontovat vzdaleny nfs
adresar. Ve fstabu mam

knfs1.kvm.valasske-laboratore.cz:/srv/nfs4exports  /mnt/nfs_krb5      
nfs4    rw,noauto,users,soft,sec=krb5   0 0

takze jako non-root mohu. Po prikazu 'mount /mnt/nfs_krb5' dostavam hlasku:

mount.nfs4: access denied by server while mounting
knfs1.kvm.valasske-laboratore.cz:/srv/nfs4exports

rpc.gssd na kcln0 mam spusteno s volbami -fvvv a vidim:

May 29 10:10:09 kcln0 rpc.idmapd[985]: New client: 8
May 29 10:10:09 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:09 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:09 kcln0 rpc.idmapd[985]: Opened
/var/lib/nfs/rpc_pipefs//nfs/clnt8/idmap
May 29 10:10:09 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:09 kcln0 rpc.gssd[1149]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt8)
May 29 10:10:09 kcln0 rpc.idmapd[985]: New client: 9
May 29 10:10:09 kcln0 rpc.gssd[1149]: handle_gssd_upcall: 'mech=krb5 uid=0
enctypes=18,17,16,23,3,1,2 '
May 29 10:10:09 kcln0 rpc.gssd[1149]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnt8)
May 29 10:10:09 kcln0 rpc.gssd[1149]: process_krb5_upcall: service is
'<null>'
May 29 10:10:09 kcln0 rpc.gssd[1149]: Full hostname for
'knfs1.kvm.valasske-laboratore.cz' is 'knfs1.kvm.valasske-laboratore.cz'
May 29 10:10:09 kcln0 rpc.gssd[1149]: Full hostname for
'kcln0.kvm.valasske-laboratore.cz' is 'kcln0.kvm.valasske-laboratore.cz'
May 29 10:10:09 kcln0 rpc.gssd[1149]: No key table entry found for
KCLN0.KVM.VALASSKE-LABORATORE.CZ$@KVM.VALASSKE-LABORATORE.CZ while getting
keytab entry for
'KCLN0.KVM.VALASSKE-LABORATORE.CZ$@KVM.VALASSKE-LABORATORE.CZ'
May 29 10:10:10 kcln0 rpc.gssd[1149]: No key table entry found for
root/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ while
getting keytab entry for
'root/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ'
May 29 10:10:10 kcln0 rpc.gssd[1149]: Success getting keytab entry for
'nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ'
May 29 10:10:10 kcln0 rpc.gssd[1149]: WARNING: KDC has no support for
encryption type while getting initial ticket for principal
'nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ' using
keytab 'WRFILE:/etc/krb5.keytab'
May 29 10:10:10 kcln0 rpc.gssd[1149]: ERROR: No credentials found for
connection to server knfs1.kvm.valasske-laboratore.cz
May 29 10:10:10 kcln0 rpc.gssd[1149]: doing error downcall
May 29 10:10:10 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3530 data 0x7fffe84e3400
May 29 10:10:10 kcln0 rpc.idmapd[985]: Stale client: 9
May 29 10:10:10 kcln0 rpc.idmapd[985]: #011-> closed
/var/lib/nfs/rpc_pipefs//nfs/clnt9/idmap
May 29 10:10:10 kcln0 rpc.idmapd[985]: Stale client: 8
May 29 10:10:10 kcln0 rpc.idmapd[985]: #011-> closed
/var/lib/nfs/rpc_pipefs//nfs/clnt8/idmap
May 29 10:10:10 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:10 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:10 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:10 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:10 kcln0 rpc.gssd[1149]: dir_notify_handler: sig 37 si
0x7fffe84e3a70 data 0x7fffe84e3940
May 29 10:10:10 kcln0 rpc.gssd[1149]: destroying client
/var/lib/nfs/rpc_pipefs/nfs/clnt8

Proc mi rpc.gssd na na kcln0 rika, ze:
May 29 10:10:10 kcln0 rpc.gssd[1149]: ERROR: No credentials found for
connection to server knfs1.kvm.valasske-laboratore.cz

Jake bych mel mit credentials? Klist mi pod uzivatelem zdenek_kaminski rika:
kcln0$ klist -e
Ticket cache: FILE:/tmp/krb5cc_10000_J8cpmW
Default principal: zdenek_kaminski na KVM.VALASSKE-LABORATORE.CZ

Valid starting     Expires            Service principal
05/29/11 09:59:10  05/29/11 19:59:10 
krbtgt/KVM.VALASSKE-LABORATORE.CZ na KVM.VALASSKE-LABORATORE.CZ
	renew until 05/30/11 09:59:10, Etype (skey, tkt): des3-cbc-sha1,
des3-cbc-sha1
05/29/11 09:59:17  05/29/11 19:59:10 
host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
	renew until 05/30/11 09:59:10, Etype (skey, tkt): des3-cbc-sha1,
des3-cbc-sha1


na knfs1 mam rpc.svcgssd spusteno s volbami -fvvvrrriii a to mlci.

V /etc/krb5.keytab na knfs1 mam:

knfs1# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-crc)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-crc)


Zaznamy pro host/knfs.. jsou nutne podle me pouze pro ssh, zaznamy pro nfs
jsou nutne pro nfs server. Obcas se na Inetu pise, ze nfsv4+kerberos
podporuje pouze des-cbc-crc) no nevadi pry, kdyz je klicu v keytabu vice.

na kcln0 pak mam:
kcln0# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-crc)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-crc)

No a konecne ve /var/kerberos/krb5kdc/kdc.conf na kdc0 mam krome jineho:
  master_key_type = des-cbc-crc
  supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal


Nakopnete me prosim nekdo spravnym smerem?

Z.K.
--
Wallachian Laboratories? Freeride in UN*X systems...