rhel6, nfs4, kerberos a nefunkcni mount (delsi)

Zdenek Kaminski zdenek na kaminski.cz
Pondělí Květen 30 11:11:44 CEST 2011 

Ahoj,

 tak jsem se pohnul o kus dale:

> Nastavení supported_enctypes vypadá dobře. Otázka zní, zda to KDC (a
> klient) bere na vědomí, když tam není allow_weak_crypto.

Hmm, tohle nepomohlo...

> ale rpc.gssd se s ním nemůže přihlásit ke KDC a získat tiket a to
> z toho důvodu, že KDC odmítá enctype (des-cbc-crc).

Vyprdnul jsem se na vseobecne informace o tom, ze nfsv4 podporuje jen
des-cbc-crc. Znovu jsem vytvoril databazi na kdc0 s tim, ze v kdc.conf
mam:

supported_enctypes = aes256-cts:normal aes128-cts:normal
des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal

Neboli tak, jak to predpoklada defaultni konfigurak v RHEL6.1

Vytvoril jsem znova prislusne pricipaly a naimportoval do prislusnych
krb5.keytab. Vypadaji nyni naslednovne:


knfs1# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes256-cts-hmac-sha1-96)
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes128-cts-hmac-sha1-96)
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(arcfour-hmac)
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-hmac-sha1)
   2 nfs/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-md5)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes256-cts-hmac-sha1-96)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes128-cts-hmac-sha1-96)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(arcfour-hmac)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-hmac-sha1)
   2 host/knfs1.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-md5)

kcln0# klist -ke /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes256-cts-hmac-sha1-96)
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes128-cts-hmac-sha1-96)
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(arcfour-hmac)
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-hmac-sha1)
   2 host/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-md5)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes256-cts-hmac-sha1-96)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(aes128-cts-hmac-sha1-96)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des3-cbc-sha1)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(arcfour-hmac)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-hmac-sha1)
   2 nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
(des-cbc-md5)

A dostavam pri pokusu o primontovani nasledujici hlasku:
kcln0$ mount /mnt/nfs_krb5
mount.nfs4: mounting knfs1.kvm.valasske-laboratore.cz:/srv/nfs4exports
failed, reason given by server:
  No such file or directory

Ve /var/log/messages na knfs1 vidim:
May 30 10:57:13 knfs1 rpc.svcgssd[1043]: leaving poll
May 30 10:57:13 knfs1 rpc.svcgssd[1043]: handling null request
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: sname =
nfs/kcln0.kvm.valasske-laboratore.cz na KVM.VALASSKE-LABORATORE.CZ
May 30 10:57:14 knfs1 nslcd[952]: [52255a]
nslcd_passwd_byname(nfs/kcln0.kvm.valasske-laboratore.cz): invalid user
name
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: DEBUG: serialize_krb5_ctx: lucid
version!
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: prepare_krb5_rfc4121_buffer:
protocol 1
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: prepare_krb5_rfc4121_buffer:
serializing key with enctype 18 and size 32
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: doing downcall
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: mech: krb5, hndl len: 4, ctx len
52, timeout: 1306781833 (35999 from now), clnt:
nfs na kcln0.kvm.valasske-laboratore.cz, uid: -1, gid: -1, num aux grps: 0:
May 30 10:57:14 knfs1 kernel: Intel AES-NI instructions are not detected.
May 30 10:57:14 knfs1 kernel: padlock: VIA PadLock not detected.
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: sending null reply
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: writing message: \x
\x608202d406092a864886f71201020201006e8202c3308202bfa003020105a10302010ea20703050020000000a38201a8618201a4308201a0a003020105a11c1b1a4b564d2e56414c4153534b452d4c41424f5241544f52452e435aa2323030a003020103a12930271b036e66731b206b6e6673312e6b766d2e76616c6173736b652d6c61626f7261746f72652e637aa382014530820141a003020112a103020103a28201330482012f990e3691079ddfe83a65daa721f9feeb201ce8c0be2b5718f380de4ae94b97129d7524704981366ecab5eef293ef1eca56c9458e5f878d940e79ec93a9fbe530a652c2da7a7f998ffb6bc25f35420e0c70499cda740bfd6c776ad3bba597558e1b11dbbbb908b740ba62da61ff9076b0f71f02ada13c3b3297b772fe4583f96097c0c7624dc61a5421b0388463492d269b7a6a827a997788165ebc8bfe88685943c80da18b7a57a5077dd1e51db0fe56d554796df1c3352fdfdce6a70af0f57c726e1c704723613d6bd76c0e048b15a1ac9eb469e6f6e3f677e9fe3fbfd59b6cfd69dd5cf45ca92abf0685c1b48f02ef6818fb0d3e293dcc8021aea27efa2ba886f25fe1d46dd647f27c97b8750880f1885de4472edebfe0fcc9d71a336ede999516337c65eb69ea7989368eef94d2a481fd3081faa003020112a281f20481ef6b1f63fc8!
 42444c9fe4fc2551bf7a3dd31c0715df8b8bb95ed3fdd647bb468970af9586d71e840b7b76acd8566ae0899c33e24326c75ff4861c0937609a2a2922ff4f6e121f1cff700b534f9729cdb5379afb8528570f987725fe32e12623434f8e4e3adda2545b42ae4b9265fbad0183d29746096c81d149f5ebae7e7c5a249a7b7e5bc62c2e571b5fa190be46b4f4f3044190aa27c7ab948535fa37eef2785ad49c3c1a0fbe60651a69bdefc083273665b14a0065eb7d3b9a6fcf15c2f148ed314ac3498e36d0e9b4d04520323bd7e0145021a5d953268e95f166ee01e836b37bbed35a8c876b9e4e7f38efaa9e7
1306745894 0 0 \x01000000
\x60819906092a864886f71201020202006f8189308186a003020105a10302010fa27a3078a003020112a271046f4c0abdf7826919e227c09506bb9aed23f75777e6bb693bd836ac4ac5dabed2406d49d893c586c4402fffeacd5e72ad6102860c2de987a044bb7bf918560cb0e28161ece70a8d058fa77b2903ee9c0b4e842bc5249392d0ad304f66ad28b833b42eb7b5056a56fdf44bad4b220048da
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: finished handling null request
May 30 10:57:14 knfs1 rpc.svcgssd[1043]: entering poll
May 30 10:57:14 knfs1 rpc.idmapd[1106]: nfsdcb: authbuf=gss/krb5
authtype=user
May 30 10:57:14 knfs1 rpc.idmapd[1106]: Server : (user) id "0" -> name
"root na kvm.valasske-laboratore.cz"
May 30 10:57:14 knfs1 rpc.idmapd[1106]: nfsdcb: authbuf=gss/krb5
authtype=group
May 30 10:57:14 knfs1 rpc.idmapd[1106]: Server : (group) id "0" -> name
"root na kvm.valasske-laboratore.cz"

Takze bych rekl, ze ticket uz mam a s KDC to dopadlo dobre.

Proc mi vsak nslcd rika:
May 30 10:57:14 knfs1 nslcd[952]: [52255a]
nslcd_passwd_byname(nfs/kcln0.kvm.valasske-laboratore.cz): invalid user
name

? Zadne nfs/kcln0... v LDAPu pochopitelne nemam. Je tam jen uzivatel
zdenek_kaminski. A je to vubec duvod, proc to pak nenamontuji?

Nakopnete me jeste v tomto smeru? Nejak jsem se toho pres noc a rano uz
vice nedocetl :-(


Z.K.
--
Wallachian Laboratories? Freeride in UN*X systems...

Další informace o konferenci Linux