next up previous contents
Next: 除錯五 Up: NFSv4+kerberos 除錯 Previous: 除錯三   Contents

除錯四-解題

  1. 掛載拒絕存取,keytab 重新下載。
    [root@kvm7 ~]# mount.nfs4 -o sec=krb5p,v4.2 kvm5.deyu.wang:/protected /mnt/nfssecure
    mount.nfs4: access denied by server while mounting kvm5.deyu.wang:/protected
    
  2. nfs server kvm5 查到 /etc/krb5.keytab 中不同時間產生的 keytab 都存在,應該只存在最新的一組。
    [root@kvm5 ~]# klist -kte /etc/krb5.keytab
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       5 09/22/2015 22:16:17 nfs/kvm5.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       5 09/22/2015 22:16:17 nfs/kvm5.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       5 09/22/2015 22:16:17 nfs/kvm5.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       5 09/22/2015 22:16:17 nfs/kvm5.deyu.wang@DEYU.WANG (arcfour-hmac) 
       5 09/22/2015 22:16:18 nfs/kvm5.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       5 09/22/2015 22:16:18 nfs/kvm5.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       5 09/22/2015 22:16:18 nfs/kvm5.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       5 09/22/2015 22:16:18 nfs/kvm5.deyu.wang@DEYU.WANG (des-cbc-md5) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (arcfour-hmac) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       6 09/22/2015 22:16:22 nfs/kvm7.deyu.wang@DEYU.WANG (des-cbc-md5) 
       2 09/22/2015 22:56:27 nfs/kvm5.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       2 09/22/2015 22:56:27 nfs/kvm5.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       2 09/22/2015 22:56:27 nfs/kvm5.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       2 09/22/2015 22:56:28 nfs/kvm5.deyu.wang@DEYU.WANG (arcfour-hmac) 
       2 09/22/2015 22:56:28 nfs/kvm5.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       2 09/22/2015 22:56:28 nfs/kvm5.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       2 09/22/2015 22:56:28 nfs/kvm5.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       2 09/22/2015 22:56:28 nfs/kvm5.deyu.wang@DEYU.WANG (des-cbc-md5)
    
  3. nfs server kvm5 刪除 /etc/krb5.keytab 中 principal nfs/kvm5.deyu.wang@DEYU.WANG 的 keytab。
    [root@kvm5 ~]# kadmin.local -q 'ktremove -k /etc/krb5.keytab nfs/kvm5.deyu.wang@DEYU.WANG'
    Authenticating as principal nfs/admin@DEYU.WANG with password.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 5 removed from keytab WRFILE:/etc/krb5.keytab.
    
  4. nfs server kvm5 重新下載 keytab 存成 /etc/krb5.keytab。
    [root@kvm5 ~]# wget http://deyu.wang/kvm5.keytab -O /etc/krb5.keytab
    
  5. nfs server kvm5 查到 /etc/krb5.keytab 只有一組 KVNO 為 2 的 keytab。
    [root@kvm5 ~]# klist -kte /etc/krb5.keytab
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 12/05/2015 14:25:15 nfs/kvm5.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (arcfour-hmac) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       2 12/05/2015 14:25:16 nfs/kvm5.deyu.wang@DEYU.WANG (des-cbc-md5)
    
  6. nfs client kvm7 重新下載 keytab 存成 /etc/krb5.keytab。
    [root@kvm7 ~]# wget http://deyu.wang/kvm7.keytab -O /etc/krb5.keytab
    
  7. nfs client kvm7 查到目前的 /etc/krb5.keytab 只有一組 KVNO 為 2 的 keytab。
    [root@kvm7 ~]# klist -kte /etc/krb5.keytab
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (arcfour-hmac) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       2 12/05/2015 14:25:16 nfs/kvm7.deyu.wang@DEYU.WANG (des-cbc-md5)
    
  8. nfs client kvm7 再安全掛載成功。
    [root@kvm7 ~]# mount.nfs4 -o sec=krb5p,v4.2 kvm5.deyu.wang:/protected /mnt/nfssecure/ 
    [root@kvm7 ~]# df -h | grep kvm5
    kvm5.deyu.wang:/protected    3.1G  1.1G  1.8G  37% /mnt/nfssecure
    



2017-11-30