不支持的加密类型NFSv4在Debian Squeeze上使用Kerberos

Question

我正在使用Kerberos设置NFSv4的测试安装。

机器从LDAP和Kerberos凭据获取用户信息。我可以使用kerberized帐户登录到计算机，即包括PAM在内的基本Kerberos设置正在运行。我可以使用基于主机的访问来设置NFSv4，并且它也可以很好地运行。

因此，下一步我将我的子网掩码更改为'krb5'。

mount -t nfs4 -o sec=krb5 nfs4.mgr:/test mnt 
mount.nfs4: access denied by server while mounting nfs4.mgr:/test 

给予GSSD几个-v开关，我看到在日志中以下内容：

Jan 15 22:00:11 nfs4 rpc.gssd[8116]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clntc) 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: handle_gssd_upcall: 'mech=krb5 uid=0 ' 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clntc) 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: process_krb5_upcall: service is '<null>' 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Full hostname for 'nfs4.mgr' is 'nfs4.mgr' 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Full hostname for 'nfs4.mgr' is 'nfs4.mgr' 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Key table entry not found while getting keytab entry for 'root/nfs4.mgr@MGR' 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: Success getting keytab entry for 'nfs/nfs4.mgr@MGR' 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MGR' are good until 1358369976 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_MGR' are good until 1358369976 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: using FILE:/tmp/krb5cc_machine_MGR as credentials cache for machine creds 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_MGR 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: creating context using fsuid 0 (save_uid 0) 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: creating tcp client for server nfs4.mgr 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: DEBUG: port already set to 2049 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: creating context with server nfs@nfs4.mgr 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_create_default() 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_create() 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_create: name is 0x1bbee10 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_create: gd->name is 0x1bb46e0 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_refresh() 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: struct rpc_gss_sec: 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:  mechanism_OID: { 1 2 134 72 134 247 18 1 2 2 } 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:  qop: 0 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:  service: 1 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:  cred: 0x1bb9ae0 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]:  req_flags: 00000002 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: rpcsec_gss: gss_init_sec_context: (major) Unspecified GSS failure. Minor code may provide more information - (minor) No supported encryption types (config file error?) 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_destroy() 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: in authgss_destroy_context() 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_destroy: freeing name 0x1bb46e0 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: authgss_create_default: freeing name 0x1bbee10 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: WARNING: Failed to create krb5 context for user with uid 0 for server nfs4.mgr 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: WARNING: Failed to create machine krb5 context with credentials cache FILE:/tmp/krb5cc_machine_MGR for server nfs4.mgr 
Jan 15 22:00:11 nfs4 rpc.gssd[8116]: WARNING: Machine cache is prematurely expired or corrupted trying to recreate cache for server nfs4.mgr 

这发生两次，每次安装电话。任何想法这意味着什么？它可能引用哪个配置文件？

感谢您的帮助。

Answer 1

我相信Debian squeeze中的NFSv4实现仍然是DES-only。 （这在NFSv4实现中存在一段时间的问题。）但是，所有现代的Kerberos实现默认情况下都不再允许DES，因为它对于良好的安全实践来说太弱了。

至少，你可能需要添加：

allow_weak_crypto  = true 

到/etc/krb5.conf客户端上的[libdefaults]部分。您的KDC还需要支持DES服务请求。您需要确保您的NFSv4服务器使用的Kerberos主体仅具有DES enctypes;如果它有任何其他的enctype，客户端会更喜欢它们（因为它们更强大），但是服务器将无法理解认证。