[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#622146: nfs-kernel-server: error Encryption type not permitted

Russ Allbery <rra@debian.org> писал(а) в своём письме Tue, 15 Nov 2011 09:54:29 +0400: 


"Kramarenko A. Maxim" <mc-sim85@ya.ru> writes:
It would be more interesting to run klist -e after attempting to contact 
the server, so that you can see what the encryption type of the service
ticket for the NFS server was.



on client:



root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL



Valid starting     Expires            Service principal
11/15/11 09:27:22  11/15/11 19:27:30  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
No, this is the TGT for the client's principal. Rather than running klist 
-e immediately after obtaining credentials, run kinit and then try to
access NFS (so that rpc.gssd will obtain a service ticket for the server)
and *then* run klist -e and look at what encryption type the service
ticket for nfs/archiv.sag.local@SAG.LOCAL has.



It's done.
On client mount and klist:

root@debian:~# mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "archiv:/nfs"
mount: node:  "/mnt2"
mount: types: "nfs4"
mount: opts:  "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/nfs"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Tue Nov 15 11:09:25 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50' 
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
root@debian:~# ls -la /tmp/
итого 8
drwxrwxrwt  4 root root  100 Ноя 15 11:07 .
drwxr-xr-x 24 root root 4096 Ноя 14 16:55 ..
drwxrwxrwt  2 root root   40 Ноя 14 12:28 .ICE-unix
-rw-------  1 root root 2444 Ноя 15 11:07 krb5cc_machine_SAG.LOCAL
drwxrwxrwt  2 root root   40 Ноя 14 12:28 .X11-unix
root@debian:~# klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 11:07:25  11/15/11 21:07:28  krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 
11/15/11 11:07:28  11/15/11 21:07:28  nfs/archiv.sag.local@SAG.LOCAL
renew until 11/16/11 11:07:25, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 


On NFS server:
ARCHIV ~ # ls -la /tmp/
итого 8
drwxrwxrwt  2 root root 4096 Ноя 15 10:41 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
ARCHIV ~ # ps aux | grep rpc
root 805 0.0 0.0 2308 920 ? Ss 00:03 0:00 /sbin/rpcbind -w 
root       827  0.0  0.0      0     0 ?        S<   00:03   0:00 [rpciod]
root 2089 0.0 0.0 3676 1556 ? Ss 11:04 0:00 /usr/sbin/rpc.svcgssd yes root 2091 0.0 0.0 2668 636 ? Ss 11:04 0:00 /usr/sbin/rpc.mountd --manage-gids statd 2132 0.0 0.0 2376 1056 ? Ss 11:05 0:00 /sbin/rpc.statd root 2144 0.0 0.0 2612 392 ? Ss 11:05 0:00 /usr/sbin/rpc.idmapd root 2148 0.0 0.0 3440 616 ? Ss 11:05 0:00 /usr/sbin/rpc.gssd -vvv root 2158 0.0 0.0 3464 752 pts/0 S+ 11:09 0:00 grep --colour=auto rpc 
ARCHIV ~ # tail /var/log/daemon.log
Nov 15 11:04:51 archiv rpc.mountd[1962]: Caught signal 15, un-registering and exiting. 
Nov 15 11:04:52 archiv rpc.mountd[2091]: Version 1.2.4 starting
Nov 15 11:04:59 archiv rpc.gssd[2010]: exiting on signal 15
Nov 15 11:04:59 archiv rpc.statd[1994]: Caught signal 15, un-registering and exiting 
Nov 15 11:05:00 archiv rpc.statd[2132]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Version 1.2.4 starting
Nov 15 11:05:00 archiv sm-notify[2133]: Already notifying clients; Exiting!
Nov 15 11:05:00 archiv rpc.gssd[2148]: beginning poll
Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) Nov 15 11:07:28 archiv rpc.svcgssd[2089]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure. Minor code may provide more information) - No supported encryption types (config file error?) 

On the server /tmp/krb5cc_machine_REALM not been established.
When I tried to "locally" on the NFS server to mount the exported directory, the file has been created: 

ARCHIV ~ #  mount -v -t nfs4 -o sec=krb5 archiv:/nfs /mnt
mount.nfs4: timeout set for Tue Nov 15 11:14:04 2011
mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.6' 
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
ARCHIV ~ # ls -la /tmp/
итого 12
drwxrwxrwt  2 root root 4096 Ноя 15 11:12 .
drwxr-xr-x 24 root root 4096 Ноя 14 23:56 ..
-rw-------  1 root root 2444 Ноя 15 11:12 krb5cc_machine_SAG.LOCAL
ARCHIV ~ # klist -e /tmp/krb5cc_machine_SAG.LOCAL
Ticket cache: FILE:/tmp/krb5cc_machine_SAG.LOCAL
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 11:12:04  11/15/11 21:12:09  krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
11/15/11 11:12:09  11/15/11 21:12:09  nfs/archiv.sag.local@SAG.LOCAL
renew until 11/16/11 11:12:04, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 


--
Best Regards
Reply to: