服务器 Gind.cn
  1. 服务器 Gind.cn
  3. NFS4 + Kerberos:BAD_ENCRYPTION_TYPE,GSS:encryptiontypes不允许,挂在“正在下载”
Intereting Posts
X-Forwarded-For(XFF)http头域混淆了Nginx吗? 如何在RHEL 64位上安装LAMP包括Mcrypt? 如果Azure虚拟机的内部IP地址是100.xxx而不是172.xxx或10.xxx? 为什么IPTraf为我的接口显示多个MAC地址? 高清将进入只读模式 Haproxy和nginx rtmp DDWRT / iptables – 阻止除80和443之外的所有端口的传出连接 在LXD中安装块设备 通过ssh执行切换命令 vmware | 虚拟机vmdk hdd错误 什么是远程访问(DirectAccess)仪表板上的“最大客户端连接数” 亚马逊EC2 Ubuntu和新贵的日志logging权限 FreeNAS:为什么用户名和密码必须与客户端系统匹配? Linksys WRT54GL的无线到无线传输速度很慢 如何在除localhost的所有接口上绑定haproxy而不分别提及每个接口?

NFS4 + Kerberos:BAD_ENCRYPTION_TYPE,GSS:encryptiontypes不允许,挂在“正在下载”

我正试图让NFS4 + Kerberos在Debian Squeeze上工作。

我有3台testing机器:nfsserver,nfsclient,nfskerberos

我得到的是: 

root@nfsclient:~# mount -v -t nfs4 -o sec=krb5 nfsserver.mydomain.com:/export /import mount.nfs4: timeout set for Fri Apr 5 10:15:33 2013 mount.nfs4: trying text-based options 'sec=krb5,addr=10.10.16.207,clientaddr=10.10.16.208' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting nfsserver.mydomain.com:/export

我认为问题是在nfsclient < – > nfskerberos通信。 在嗅探这些系统之间的networkingstream量之后,我看到如下消息: 

 error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) [...] e-text: BAD_ENCRYPTION_TYPE

[只有nfsclient与nfskerberos通信。 nfskerberos上nfsserver没有stream量。]

在nfsclient上的kinit -k工作正常,但: 

 root@nfsclient:~# kinit -k nfs/nfsclient.mydomain.com root@nfsclient:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: nfs/[email protected] Valid starting Expires Service principal 04/05/13 11:44:55 04/05/13 21:44:55 krbtgt/[email protected] renew until 04/06/13 11:44:55

但是kinit执行AS-REQ并且挂载请求执行TGS-REQ。

我尝试了很多types的encryptiontypes:

  • DES-CBC-CRC:正常
  • aes256-cts-hmac-sha1-96:正常(这个和kinit一起工作)
  • DES3-HMAC-SHA1:正常

在nfskerberos上,在kdcconfiguration中我有: 

 [kdcdefaults] kdc_ports = 750,88 [realms] MYDOMAIN.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }

nfsclient和nfskerberos之间的对话: 

 No. Time Source Destination Protocol Length Info 7 11.128679 10.10.16.208 10.10.16.209 KRB5 808 TGS-REQ [ cut lower level protocols data ] Kerberos TGS-REQ Pvno: 5 MSG Type: TGS-REQ (12) padata: PA-TGS-REQ Type: PA-TGS-REQ (1) Value: 6e82025630820252a003020105a10302010ea20703050000... AP-REQ Pvno: 5 MSG Type: AP-REQ (14) Padding: 0 APOptions: 00000000 0... .... .... .... .... .... .... .... = reserved: RESERVED bit off .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required Ticket Tkt-vno: 5 Realm: MYDOMAIN.COM Server Name (Service and Instance): krbtgt/MYDOMAIN.COM Name-type: Service and Instance (2) Name: krbtgt Name: MYDOMAIN.COM enc-part aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Kvno: 1 enc-part: c03dbd56915263874441e07531f689fa16ed7593a8118741... Authenticator aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Authenticator data: bae42b08eb935796e3dd31d9d34f5a4cc419b6594be7a8ed... KDC_REQ_BODY Padding: 0 KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize) .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE .... .... ...0 .... .... .... .... .... = Opt HW Auth: False .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation) .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket Realm: MYDOMAIN.COM Server Name (Service and Host): nfs/nfsserver.mydomain.com Name-type: Service and Host (3) Name: nfs Name: nfsserver.mydomain.com till: 2013-04-05 17:58:28 (UTC) Nonce: 1365155889 Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4 Encryption type: aes256-cts-hmac-sha1-96 (18) Encryption type: aes128-cts-hmac-sha1-96 (17) Encryption type: des3-cbc-sha1 (16) Encryption type: rc4-hmac (23) Encryption type: des-cbc-crc (1) Encryption type: des-cbc-md5 (3) Encryption type: des-cbc-md4 (2) No. Time Source Destination Protocol Length Info 8 11.130891 10.10.16.209 10.10.16.208 KRB5 244 KRB Error: KRB5KDC_ERR_ETYPE_NOSUPP [ cut lower level protocols data ] Kerberos KRB-ERROR Pvno: 5 MSG Type: KRB-ERROR (30) ctime: 2013-04-05 09:58:09 (UTC) stime: 2013-04-05 09:58:09 (UTC) susec: 588499 error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) Client Realm: MYDOMAIN.COM Client Name (Principal): nfs/nfsclient.mydomain.com Name-type: Principal (1) Name: nfs Name: nfsclient.mydomain.com Realm: MYDOMAIN.COM Server Name (Service and Host): nfs/nfsserver.mydomain.com Name-type: Service and Host (3) Name: nfs Name: nfsserver.mydomain.com e-text: BAD_ENCRYPTION_TYPE

如果有人以同样的方式:

原来的问题是通过在/etc/krb5.conf中添加allow_weak_crypto = true来解决的。

接下来我正面临另一个问题,那就是: 

 Apr 5 16:31:46 nfsserver rpc.svcgssd[2047]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted

有人曾经描述过它: http ://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637660但是,我没有find任何解决scheme,所以我决定尝试Debian Wheezy作为NFS服务器。

Wheeze似乎进一步与GSS身份validation进一步,但坚持挂载请求与这样的事情在nfsserver端: 

 Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: leaving poll Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: handling null request Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sname = nfs/[email protected] Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: DEBUG: serialize_krb5_ctx: lucid version! Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8 Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: doing downcall Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: mech: krb5, hndl len: 4, ctx len 85, timeout: 1365455915 (32884 from now), clnt: [email protected], uid: -1, gid: -1, num aux grps: 0: Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sending null reply Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: writing message: \x \x 1365423091 0 0 \x01000000 \x607006092a864886f71201020202006f61305fa003020105a10302010fa2533051a003020101a24a044882577e0441254f6c05add73796908deb02b7f61d90d7ed5bd54f67bb72e7ea2f8898ae1a6eb6e8fe631753b01bc9340dc4cdabf1b1985c449d28b4e9568aa85259f2cc591628a696 Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: finished handling null request Apr 8 14:10:31 nfsserver7 rpc.svcgssd[3924]: entering poll

还有一些人已经处理了这个问题: http ://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682709但他们提出的唯一工作解决scheme是安装旧版本的nfs- |内核服务器)。

这也适用于我。

我学到的是:设置NFS + Kerberos并不是一件快乐的事情。 😉