Re: error when configuring the Kerberos NFSv4 on Debian 6.0.3 (in testing no error)

Mon, 14 Nov 2011 21:52:29 -0800 

Arno Schuring <aelschur...@hotmail.com> писал(а) в своём письме Tue, 15 Nov 
2011 03:30:54 +0400:


Kramarenko A. Maksim (mc....@k-max.name on 2011-11-14 13:02 +0400):

Hello, All!
Tired of "fighting" with Kreberos.
The second week I can not properly configure the server  NFSv4 and
domain on Win 2k8 R2 via kerberos. Kinit command, etc. work properly
and get tickets from the KDC:



=============================
...daemon.log.....
Nov 8 13:50:10 archiv rpc.gssd[2067]: WARNING: KDC has no support for
encryption type while getting initial ticket for principal
'nfs/archiv.sag.local@SAG.LOCAL' using keytab


If this is the cause, and it seems to be, then your kernel is simply too
old. The default kernel in Squeeze only support des-cbc encryption for
NFS, and that is deprecated. On Linux systems the workaround is to
specify allow_weak_crypto in krb5.conf, but I'm not aware of a
workaround for Windows.

Maybe try a newer kernel, e.g. from backports?


Regards,
Arno



Thanks for the answer.
Arno,
I upgraded from backports kernel and NFS (nfs-common and nfs-kernel-server), 
but now I have the following error when mounting:
ARCHIV ~ # uname -a
Linux ARCHIV 2.6.39-bpo.2-686-pae #1 SMP Thu Aug 4 11:02:22 UTC 2011 i686 
GNU/Linux
client:
==============
root@debian:~#  mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2
mount: fstab path: "/etc/fstab"
mount: mtab path:  "/etc/mtab"
mount: lock path:  "/etc/mtab~"
mount: temp path:  "/etc/mtab.tmp"
mount: UID:        0
mount: eUID:       0
mount: spec:  "archiv:/"
mount: node:  "/mnt2"
mount: types: "nfs4"
mount: opts:  "sec=krb5"
mount: external mount: argv[0] = "/sbin/mount.nfs4"
mount: external mount: argv[1] = "archiv:/"
mount: external mount: argv[2] = "/mnt2"
mount: external mount: argv[3] = "-v"
mount: external mount: argv[4] = "-o"
mount: external mount: argv[5] = "rw,sec=krb5"
mount.nfs4: timeout set for Mon Nov 14 18:40:42 2011
mount.nfs4: trying text-based options 
'sec=krb5,addr=10.0.0.6,clientaddr=10.0.0.50'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting archiv:/nfs
=======in daemon.log==============
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c 
data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c 
data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c 
data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c 
data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd458c 
data 0xbfcd460c
Nov 15 00:06:32 debian rpc.gssd[1730]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: handle_gssd_upcall: 'mech=krb5 uid=0 
enctypes=18,17,16,23,3,1,2 '
Nov 15 00:06:32 debian rpc.gssd[1730]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnt1f)
Nov 15 00:06:32 debian rpc.gssd[1730]: process_krb5_upcall: service is '<null>'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 
'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 
'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for 
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for 
root/debian.sag.local@SAG.LOCAL while getting keytab entry for 
'root/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for 
'nfs/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL 
as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 
0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server 
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server 
n...@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context 
for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 
context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server 
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Machine cache is prematurely 
expired or corrupted trying to recreate cache for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for 'archiv.sag.local' is 
'archiv.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: Full hostname for 'debian.sag.local' is 
'debian.sag.local'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for 
DEBIAN$@SAG.LOCAL while getting keytab entry for 'DEBIAN$@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: No key table entry found for 
root/debian.sag.local@SAG.LOCAL while getting keytab entry for 
'root/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: Success getting keytab entry for 
'nfs/debian.sag.local@SAG.LOCAL'
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: INFO: Credentials in CC 
'FILE:/tmp/krb5cc_machine_SAG.LOCAL' are good until 1321318191
Nov 15 00:06:32 debian rpc.gssd[1730]: using FILE:/tmp/krb5cc_machine_SAG.LOCAL 
as credentials cache for machine creds
Nov 15 00:06:32 debian rpc.gssd[1730]: using environment variable to select 
krb5 ccache FILE:/tmp/krb5cc_machine_SAG.LOCAL
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context using fsuid 0 (save_uid 
0)
Nov 15 00:06:32 debian rpc.gssd[1730]: creating tcp client for server 
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: DEBUG: port already set to 2049
Nov 15 00:06:32 debian rpc.gssd[1730]: creating context with server 
n...@archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create krb5 context 
for user with uid 0 for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 
context with credentials cache FILE:/tmp/krb5cc_machine_SAG.LOCAL for server 
archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: WARNING: Failed to create machine krb5 
context with any credentials cache for server archiv.sag.local
Nov 15 00:06:32 debian rpc.gssd[1730]: doing error downcall
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: dir_notify_handler: sig 37 si 0xbfcd40bc 
data 0xbfcd413c
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client 
/var/lib/nfs/rpc_pipefs/nfs/clnt20
Nov 15 00:06:32 debian rpc.gssd[1730]: destroying client 
/var/lib/nfs/rpc_pipefs/nfs/clnt1f
===============
... and server:
===============
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - No supported encryption 
types (config file error?)
Nov 15 00:06:34 archiv rpc.svcgssd[1097]: ERROR: GSS-API: error in 
handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS 
failure.  Minor code may provide more information) - No supported encryption 
types (config file error?)

Kinit works correctly on both the server and client:
root@debian:~# kinit -k  nfs/debian.sag.local
root@debian:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/debian.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 09:27:22  11/15/11 19:27:30  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 09:27:22, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
\\\\\\\\\\\\
ARCHIV ~ # kinit -k nfs/archiv.sag.local
ARCHIV ~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nfs/archiv.sag.local@SAG.LOCAL

Valid starting     Expires            Service principal
11/15/11 09:26:37  11/15/11 19:26:42  krbtgt/SAG.LOCAL@SAG.LOCAL
        renew until 11/16/11 09:26:37, Etype (skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5




--
Best Regards


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/op.v4y3v8kor9k...@odmen.sag.local

Reply via email to