Добрейшего всем времени!
Пытаюсь настроить сервер и клиента NFS с Kerberos (KDC - Active Directory Win 2k8 R2 в режиме леса Win 2k3).
Не могу заставить работать...
Что сделано:
1. Настроен NFS сервер и клиент на Debian 6.0.3:
===========================================
ARCHIV ~ # dpkg -l | grep nfs
ii libnfsidmap2 0.23-2 An nfs idmapping library
ii nfs-common 1:1.2.2-4 NFS support files common to client and server
ii nfs-kernel-server 1:1.2.2-4 support for NFS kernel server
ARCHIV ~ # grep -v "^#" /etc/default/nfs-common
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
RPCGSSDOPTS="-vvv"
ARCHIV ~ # grep -v "^#" /etc/default/nfs-kernel-server
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=-vvv
ARCHIV ~ # grep -v "^#" /etc/exports
/archiv-small *(rw,fsid=0,sync,nohide,no_subtree_check,crossmnt)
/archiv-small gss/krb5(rw,fsid=0,sync,nohide,no_subtree_check,crossmnt)
/archiv-small gss/krb5i(rw,fsid=0,sync,nohide,no_subtree_check,crossmnt)
/archiv-small gss/krb5p(rw,fsid=0,sync,nohide,no_subtree_check,crossmnt)
/archiv-big gss/krb5(rw,sync,nohide,no_subtree_check,crossmnt)
ARCHIV ~ # ls -dla /ar*
drwxrwxrwt 4 root root 4096 Окт 21 11:55 /archiv-big
drwxrwxrwt 4 root root 4096 Ноя 6 00:02 /archiv-small
ARCHIV ~ # grep 2049 /etc/services
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System
ARCHIV ~ # rpcinfo -p
прог-ма верс прото порт
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 47473 status
100024 1 tcp 34738 status
100021 1 udp 56591 nlockmgr
100021 3 udp 56591 nlockmgr
100021 4 udp 56591 nlockmgr
100021 1 tcp 44284 nlockmgr
100021 3 tcp 44284 nlockmgr
100021 4 tcp 44284 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100005 1 udp 58700 mountd
100005 1 tcp 54404 mountd
100005 2 udp 58700 mountd
100005 2 tcp 54404 mountd
100005 3 udp 58700 mountd
100005 3 tcp 54404 mountd
===========================================
Без кербероса монтирование происходит на ура, как локальным клиентом, так и удаленным:
===========================================
ARCHIV ~ # mount archiv:/archiv-small /mnt
ARCHIV ~ # mount | grep arс
/dev/sdb1 on /archiv-big type ext4 (rw,noexec,nosuid)
/dev/sdc1 on /archiv-small type ext4 (rw,noexec,nosuid)
archiv:/archiv-small on /mnt type nfs (rw,addr=127.0.1.1)
===========================================
2. Настраиваю керберос (по инструкшену: http://nfsworld.blogspot.com/2005_06_01_archive.html,
а так же https://help.ubuntu.com/community/NFSv4Howto и http://wiki.debian.org/NFS/Kerberos и много-много гугла ):
2.1. в AD создан пользователь nfssrv. В свойствах выставлен чекбокс
"Использовать тип шифрование Kerberos DES для этой" (пробовал и без него),
задан бессрочный пароль с запретом на смену.
2.2. Создан кейтаб на контроллере домена, командой:
==============================================
C:\tmp>ktpass -princ nfs/archiv.sag.local@SAG.LOCAL -mapuser SAG\nfssrv -pass ****** -ptype KRB5_NT_PRINCIPAL -out krb5.keytab
Targeting domain controller: DC.sag.local
Using legacy password setting method
Successfully mapped nfs/archiv.sag.local to nfssrv.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 65 nfs/archiv.sag.local@SAG.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etyp
e 0x17 (RC4-HMAC) keylength 16 (0x21b0dfb3f9419b0c2017d54225c13f12)
а так же пробовал:
C:\tmp>ktpass -princ nfs/archiv.sag.local@SAG.LOCAL -crypto ALL -mapuser SAG\nfssrv -pass ****** -ptype KRB5_NT_PRINCIPAL -out krb5.keytab
===============================================
2.3. кейтаб размещен в Debian в /etc/krb5.keytab:
==============================================
ARCHIV ~ # ls -la /etc/krb5.k*
-rw-r--r-- 1 root root 71 Ноя 8 09:41 /etc/krb5.keytab
2.4. Установлены клиентские пакеты MIT kerberos:
===========================================
ARCHIV ~ # dpkg -l | grep krb
ii krb5-config 2.2 Configuration files for Kerberos Version 5
ii krb5-user 1.8.3+dfsg-4squeeze2 Basic programs to authenticate using MIT Kerberos
ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries
ii libkrb5support0 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - Support library
===========================================
2.5. настроен /etc/krb.conf:
==========================================
[libdefaults]
default_realm = SAG.LOCAL
# Sounds like NFS v4 doesn't support stronger encryption types than DES.
# You'll need to add:
allow_weak_crypto = true
[realms]
SAG.LOCAL = {
kdc = dc.sag.local
admin_server = dc.sag.local
default_domain = SAG.LOCAL
}
[domain_realm]
.sag.local = SAG.LOCAL
sag.local = SAG.LOCAL
==========================================
пробовал в нем указывать:
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
но безрезультатно.
2.6. получение билетов происходит корректно:
==========================================
ARCHIV ~ # kinit -V user
Password for user@SAG.LOCAL:
Authenticated to Kerberos v5
ARCHIV ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@SAG.LOCAL
Valid starting Expires Service principal
11/08/11 12:35:21 11/08/11 22:35:25 krbtgt/SAG.LOCAL@SAG.LOCAL
renew until 11/09/11 12:35:21
ARCHIV ~ # kdestroy
ARCHIV ~ # klist -e -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 nfs/archiv.sag.local@SAG.LOCAL (ArcFour with HMAC/md5)
Проблема: НЕ МОНТИРУЕТСЯ и все тут....
=========================================
ARCHIV ~ # mount -t nfs4 -o sec=krb5 archiv:/archiv-small /mnt
mount.nfs4: access denied by server while mounting archiv:/archiv-small
=========================================
В лог при монтировании падает следующее:
Nov 8 13:49:42 archiv rpc.gssd[2066]: rpcsec_gss: debug level is 3
Nov 8 13:49:42 archiv rpc.gssd[2067]: beginning poll
Nov 8 13:50:01 archiv mountd[2024]: authenticated unmount request from 127.0.1.1:980 for /archiv-small (/archiv-small)
Nov 8 13:50:01 archiv rpc.gssd[2067]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt16
Nov 8 13:50:01 archiv rpc.gssd[2067]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt15
Nov 8 13:50:01 archiv rpc.gssd[2067]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14
Nov 8 13:50:10 archiv rpc.gssd[2067]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 8 13:50:10 archiv rpc.gssd[2067]: handle_gssd_upcall: 'mech=krb5 uid=0 '
Nov 8 13:50:10 archiv rpc.gssd[2067]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt17)
Nov 8 13:50:10 archiv rpc.gssd[2067]: process_krb5_upcall: service is '<null>'
Nov 8 13:50:10 archiv rpc.gssd[2067]: Full hostname for 'archiv.SAG.local' is 'archiv.sag.local'
Nov 8 13:50:10 archiv rpc.gssd[2067]: Full hostname for 'archiv.sag.local' is 'archiv.sag.local'
Nov 8 13:50:10 archiv rpc.gssd[2067]: Key table entry not found while getting keytab entry for 'root/archiv.sag.local@SAG.LOCAL'
Nov 8 13:50:10 archiv rpc.gssd[2067]: Success getting keytab entry for 'nfs/archiv.sag.local@SAG.LOCAL'
Nov 8 13:50:10 archiv rpc.gssd[2067]: WARNING: KDC has no support for encryption type while getting initial ticket for principal 'nfs/archiv.sag.local@SAG.LOCAL' using keytab 'WRFILE:/etc/krb5.keytab'
Nov 8 13:50:10 archiv rpc.gssd[2067]: ERROR: No credentials found for connection to server archiv.SAG.local
Nov 8 13:50:10 archiv rpc.gssd[2067]: doing error downcall
Nov 8 13:50:10 archiv rpc.gssd[2067]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt17
Помогите, пожалуйста разобраться!!!
--------------
С Уважением.