Russ Allbery <r...@debian.org> писал(а) в своём письме Tue, 15 Nov 2011
09:54:29 +0400:
"Kramarenko A. Maxim" <mc-si...@ya.ru> writes:
It would be more interesting to run klist -e after attempting to
contact
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.
on client:
root@debian:~# kinit -k nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/15/11 09:27:22 11/15/11 19:27:30 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
No, this is the TGT for the client's principal. Rather than running
klist
-e immediately after obtaining credentials, run kinit and then try to
access NFS (so that rpc.gssd will obtain a service ticket for the server)
and *then* run klist -e and look at what encryption type the service
ticket for nfs/archiv.sag.local@SAG.LOCAL has.
It's done.
On client mount and klist:
root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path: "/etc/mtab"
mount: lock path: "/etc/mtab~"
mount: temp path: "/etc/mtab.tmp"
mount: UID: 0
mount: eUID: 0
mount: spec: "archiv:/nfs"
mount: node: "/mnt2"
mount: types: "nfs4"
mount: opts: "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/nfs"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Tue Nov 15 11:09:25 2011
mount.nfs4: trying text-based options
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
root@debian:~# ls -la /tmp/
итого 8
drwxrwxrwt 4 root root 100 Ноя 15 11:07 .
drwxr-xr-x 24 root root 4096 Ноя 14 16:55 ..
drwxrwxrwt 2 root root 40 Ноя 14 12:28 .ICE-unix
-rw------- 1 root root 2444 Ноя 15 11:07 krb5cc_machine_SAG.LOCAL
drwxrwxrwt 2 root root 40 Ноя 14 12:28 .X11-unix
root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/debian.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/15/11 11:07:25 11/15/11 21:07:28 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
11/15/11 11:07:28 11/15/11 21:07:28 nfs/archiv.sag.local@SAG.LOCAL
renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
On NFS server:
ARCHIV ~ # ls -la /tmp/
итого 8
drwxrwxrwt 2 root root 4096 Ноя 15 10:41 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
ARCHIV ~ # ps aux | grep rpc
root 805 0.0 0.0 2308 920 ? Ss 00:03 0:00
/sbin/rpcbind -w
root 827 0.0 0.0 0 0 ? S< 00:03 0:00 [rpciod]
root 2089 0.0 0.0 3676 1556 ? Ss 11:04 0:00
/usr/sbin/rpc.svcgssd yes
root 2091 0.0 0.0 2668 636 ? Ss 11:04 0:00
/usr/sbin/rpc.mountd --manage-gids
statd 2132 0.0 0.0 2376 1056 ? Ss 11:05 0:00
/sbin/rpc.statd
root 2144 0.0 0.0 2612 392 ? Ss 11:05 0:00
/usr/sbin/rpc.idmapd
root 2148 0.0 0.0 3440 616 ? Ss 11:05 0:00
/usr/sbin/rpc.gssd -vvv
root 2158 0.0 0.0 3464 752 pts/0 S+ 11:09 0:00 grep
--colour=auto rpc
ARCHIV ~ # tail /var/log/daemon.log
Nov 15 11:04:51 archiv rpc.mountd[1962]: Caught signal 15, un-registering
and exiting.
Nov 15 11:04:52 archiv rpc.mountd[2091]: Version 1.2.4 starting
Nov 15 11:04:59 archiv rpc.gssd[2010]: exiting on signal 15
Nov 15 11:04:59 archiv rpc.statd[1994]: Caught signal 15, un-registering
and exiting
Nov 15 11:05:00 archiv rpc.statd[2132]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Already notifying clients; Exiting!
Nov 15 11:05:00 archiv rpc.gssd[2148]: beginning poll
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS
failure. Minor code may provide more information) - No supported
encryption types (config file error?)
On the server /tmp/krb5cc_machine_REALM not been established.
When I tried to "locally" on the NFS server to mount the exported
directory, the file has been created:
ARCHIV ~ # mount -v -t nfs4 -o sec=krb5 archiv:/nfs /mnt
mount.nfs4: timeout set for Tue Nov 15 11:14:04 2011
mount.nfs4: trying text-based options
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
ARCHIV ~ # ls -la /tmp/
итого 12
drwxrwxrwt 2 root root 4096 Ноя 15 11:12 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
-rw------- 1 root root 2444 Ноя 15 11:12 krb5cc_machine_SAG.LOCAL
ARCHIV ~ # klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/archiv.sag.local@SAG.LOCAL
Valid starting Expires Service principal
11/15/11 11:12:04 11/15/11 21:12:09 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
11/15/11 11:12:09 11/15/11 21:12:09 nfs/archiv.sag.local@SAG.LOCAL
renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
--
Best Regards
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/op.v4y7ppdaeax...@odmen.sag.local
