Thiết kế website giá rẻ

Question

I can’t mount volumes using any sec=krb5*. sec=sys works fine

Machine 1 (M1): nfs-kernel-server/Kerberos [openSUSE] [192.168.2.255] (Yes it's .255 it's a /23 network)
Machine 2 (M2): Client [Debian] [192.168.2.120]
Router (R): DNS/DHCP [OPNSense] [192.168.2.1]

DNS

M1: kerberos.example.org; storage.example.org; nfs.example.org;
M2: intel-deb.example.org
R: opnsense.example.org

Kerberos Principals

host/[email protected]
host/[email protected]
host/[email protected]
host/[email protected]
nfs/[email protected]
nfs/[email protected]
nfs/[email protected]
nfs/[email protected]

You I’ve added both nfs/ host/ for each one. But it doesn’t it doesn’t really metter since gssproxy seems to try any of them man rpc.gssd, but at this point i’m really trying anything

/etc/exports

#/mnt/raid6-main/Users/user intel-deb.example.org(rw,sync,no_subtree_check,sec=krb5p)
/mnt/raid6-main/Users/user  *(rw,sync,no_subtree_check,no_root_squash,sec=krb5p)

These are some of the configurations on exports that i’ve been trying

/etc/krb5.conf

[libdefaults]
    default_realm = example.org

# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
        rdns = false


[realms]
    example.org = {
        default_principal_flags = +preauth
        kdc = kerberos.example.org
        admin_server = kerberos.example.org
        default_domain = example.org
        max_life = 12h 0m 0s
        max_renewable_life = 2d 0h 0m 0s
        supported_enctypes = aes256-cts-hmac-sha1-96 #aes128-cts
        master_key_type = aes256-cts
        acl_file = /mnt/raid6-main/krb5/example.org/etc-krb/kadm5.acl
    }

[domain_realm]
    .example.org = example.org
    example.org = example.org

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmin.log
    default = FILE:/var/log/krb5/krb5lib.log

For M2, I’ve created a keytab with: ktadd -k /tmp/desktop.keytab host/[email protected] then transfered through scp. I can see it is working properly through klist (after kinit -k)

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/[email protected]

Valid starting       Expires              Service principal
05/29/2024 23:00:35  05/30/2024 11:00:35  krbtgt/[email protected]
    renew until 05/30/2024 23:00:35
05/29/2024 23:00:53  05/30/2024 11:00:35  nfs/[email protected]
    renew until 05/30/2024 23:00:35

And for M1 ktadd host/[email protected] and then kinit -k

Ticket cache: DIR::/run/user/0/krb5cc/tktCW9QHa
Default principal: host/[email protected]

Valid starting       Expires              Service principal
05/29/2024 23:06:22  05/30/2024 11:06:22  krbtgt/[email protected]
    renew until 05/30/2024 23:06:22

Both of these, are just for checking. As gssproxy should do this by itself.
For the client, I’ve read some stuff on gssproxy github, and added some logging. But as far as i can see, everything is okay on the client (M2).

[191225] 1717034889.286347: Retrieving [email protected] from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: -1765328203/No key table entry found for [email protected]
[191225] 1717034889.286348: Retrieving [email protected] from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: -1765328203/No key table entry found for [email protected]
[191225] 1717034889.286349: Retrieving root/[email protected] from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: -1765328203/No key table entry found for root/[email protected]
[191225] 1717034889.286350: Retrieving nfs/[email protected] from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: -1765328203/No key table entry found for nfs/[email protected]
[191225] 1717034889.286351: Retrieving host/[email protected] from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[191225] 1717034889.286352: Retrieving host/[email protected] -> Encrypted/Credentials/v1@X-GSSPROXY: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[191225] 1717034889.286353: Getting credentials host/[email protected] -> nfs/[email protected] using ccache FILE:/tmp/krb5ccmachine_example.org
[191225] 1717034889.286354: Retrieving host/[email protected] -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from FILE:/tmp/krb5ccmachine_example.org with result: -1765328243/Matching credential not found (filename: /tmp/krb5ccmachine_example.org)
[191225] 1717034889.286355: Retrieving host/[email protected] -> nfs/[email protected] from FILE:/tmp/krb5ccmachine_example.org with result: 0/Success
[191225] 1717034889.286356: Creating authenticator for host/[email protected] -> nfs/[email protected], seqnum 35569972, subkey aes256-cts/E01D, session key aes256-cts/0264

And on the server side (M1) with this script:

export NFS_RPC_MODULES="nfs nfsd rpc nlm"
for MODULE in $NFS_RPC_MODULES; do
    rpcdebug -m $MODULE -s all
done

I can’t see anything usuful as well in /var/log/messages

024-05-29T23:14:27.139096-03:00 storage kernel: [17646.308285][T24717] svc: server 0000000035894eaf, pool 0, transport 000000008345429b, inuse=3
2024-05-29T23:14:27.139098-03:00 storage kernel: [17646.308588][T24718] svc: server 00000000378add72, pool 0, transport 00000000b5466371, inuse=2
2024-05-29T23:14:27.142908-03:00 storage kernel: [17646.308828][T24718] svc: server 00000000378add72, pool 0, transport 00000000b5466371, inuse=2
2024-05-29T23:14:27.142920-03:00 storage kernel: [17646.308837][T24718] svc: svc_authenticate (6)
2024-05-29T23:14:27.142922-03:00 storage kernel: [17646.308841][T24718] RPC:       Want update, refage=120, age=0
2024-05-29T23:14:27.142924-03:00 storage kernel: [17646.308844][T24718] svc: svc_process close
2024-05-29T23:14:27.181276-03:00 storage kernel: [17646.350921][    C5] RPC:       xs_tcp_state_change client 00000000f11978c9...
2024-05-29T23:14:27.181283-03:00 storage kernel: [17646.350956][    C5] RPC:       state 8 conn 1 dead 0 zapped 1 sk_shutdown 1
2024-05-29T23:14:27.181293-03:00 storage kernel: [17646.350982][    C5] RPC:       xs_data_ready...
2024-05-29T23:14:27.181317-03:00 storage kernel: [17646.350999][T24679] RPC:       xs_close xprt 00000000f11978c9
2024-05-29T23:14:27.182910-03:00 storage kernel: [17646.351030][T24679] RPC:       xs_tcp_state_change client 00000000f11978c9...
2024-05-29T23:14:27.182922-03:00 storage kernel: [17646.351054][T24679] RPC:       state 9 conn 0 dead 0 zapped 1 sk_shutdown 3

And the logs on client after mount -vvv -t nfs4 -o sec=krb5p storage.example.org:/mnt/raid6-main/Users/user /mnt/nfs:

mount.nfs4: timeout set for Wed May 29 23:16:26 2024
mount.nfs4: trying text-based options 'sec=krb5p,vers=4.2,addr=192.168.2.255,clientaddr=192.168.2.120'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,minorversion=1,addr=192.168.2.255,clientaddr=192.168.2.120'
mount.nfs4: mount(2): Permission denied
mount.nfs4: trying text-based options 'sec=krb5p,vers=4,addr=192.168.2.255,clientaddr=192.168.2.120'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting storage.example.org:/mnt/raid6-main/Users/user

Currently showmount -e:

Export list for storage:
/mnt/raid6-main/Users/user *

DNS queries:

;; ANSWER SECTION:
kerberos.example.org. 3600  IN  A   192.168.2.255
;; ANSWER SECTION:
storage.example.org.    3600    IN  A   192.168.2.255
;; ANSWER SECTION:
nfs.example.org.    3600    IN  A   192.168.2.255
;; ANSWER SECTION:
intel-deb.example.org. 3600 IN  A   192.168.2.120

Reverse queries:

;; ANSWER SECTION:
120.2.168.192.in-addr.arpa. 3600 IN PTR intel-deb.example.org
;; ANSWER SECTION:
255.2.168.192.in-addr.arpa. 3600 IN PTR nfs.example.org.
255.2.168.192.in-addr.arpa. 3600 IN PTR storage.example.org.
255.2.168.192.in-addr.arpa. 3600 IN PTR kerberos.example.org.

On M1 there are entries on /etc/hosts for:

127.0.0.1 kerberos.example.org
127.0.0.1 storage.example.org
127.0.0.1 nfs.example.org

Thiết kế website giá rẻ

Danh mục

Nfs with Kerberos – Can’t connect with sec=krb5*