linux之NFS_linux ktutil-CSDN博客

本文链接：https://blog.csdn.net/qinwunan/article/details/72870815

NFS

1.定义：

NFS为Network File System 的简称，她的目的是让不同的机器、不同的操作系统可以彼此共享数据文件。NFS在启动时需要远程过程调用协议来辅助，因为默认NFS用来传输的端口是随机选择的，小于1024的端口。

2. 配置：

2.1 启动服务

[root@localhost ~]# yum install nfs-utils                                 包括基本的NFS命令与监控程序
[root@localhost ~]# systemctl enable nfs-server
[root@localhost ~]# systemctl start nfs-server
[root@localhost ~]# firewall-cmd --permanent --add-service=nfs
[root@localhost ~]# firewall-cmd --permanent --add-service=rpc-bind                支持安全NFS RPC服务的连接
[root@localhost ~]# firewall-cmd --permanent --add-service=mountd

测试：
[root@foundation21 kiosk]# showmount -e 172.25.254.121
Export list for 172.25.254.121:

2.2共享目录
[root@localhost ~]#mkdir /public
[root@localhost ~]# chmod 777 /public/
[root@localhost ~]# touch /public/file{12..15}

[root@localhost ~]# vim /etc/exports #man 5 exports NFS服务的主要配置文件

/public *(sync) #public目录共享给所有人并且数据同步

[root@localhost ~]# exportfs -rv #刷新，使文件生效

exporting *:/public

测试：

/public   172.25.254.221(sync)                      #public目录共享给221并且数据同步
/public   172.25.254.21(sync,ro)    172.25.254.221(sync,rw)   #public目录共享给21并且数据同步且只读，共享给221并数据同步且读写
/public   *.example.com(sync)               #public目录共享给example.com域内所有人并且数据同步

/public 172.25.254.0/24(sync,rw,no_root_squash) #public目录共享给172.25.254网段的所有人并当客户端使用root挂载不转换用户身份

测试：

/public 172.25.254.0/24(sync,rw,anonuid=1001,anongid=1000) #public目录共享给所有人并且以1001为uid，1000为gid

测试：

2.3利用kerberos保护nfs输出
###服务端短

开启kerberos认证，得到ldap用户
yum install sssd krb5-workstation authconfig-gtk -y

authconfig-gtk      kerberos认证图形化管理界面

User Account Database     LDAP
LDAP Search Base DN    dc=example,dc=com
LDAP Server             classroom.example.com
Certificate URL        httpa://classroom.example.com/pub/example-ca.crt
Realm            EXAMPLE.COM
KDCs           classroom.example.com
Admin Server       classroom.example.com

[root@server21 ~]# wget http://172.25.254.254/pub/keytabs/server21.keytab -O /etc/krb5.keytab
[root@server21 ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
[root@server21 ~]# systemctl start nfs-secure-server
[root@server21 ~]# systemctl status nfs-secure-server
[root@server21 ~]# vim /etc/exports
[root@server21 ~]# cat /etc/exports
/public *(rw,sec=krb5p)
[root@server21 ~]# exportfs -rv

###客户端
开启kerberos认证，得到ldap用户
[root@desktop21 mnt]# wget http://172.25.254.254/pub/keytabs/desktop21.keytab -O /etc/krb5.keytab
[root@desktop21 mnt]# ktutil   查看证书是否正确
ktutil: rkt /etc/krb5.keytab
ktutil: list
[root@desktop21 mnt]# systemctl start nfs-secure
[root@desktop21 mnt]# systemctl enable nfs-secure

测试：
[root@desktop21 student]# vim /etc/hosts
172.25.254.221 server21.example.com
[root@desktop21 ~]# mount 172.25.254.221:/public /mnt -o sec=krb5p
[root@desktop21 ~]# cd /mnt/
[root@desktop21 mnt]# ls
file1 file2 file3 file4 file5 file6
[root@desktop21 mnt]# su - student
Last login: Sat Jun 3 23:23:56 EDT 2017 on pts/1
[student@desktop21 ~]$ cd /mnt/
-bash: cd: /mnt/: Permission denied
[student@desktop21 ~]$ ls
[student@desktop21 ~]$ su - ldapuser1
Password:
su: Authentication failure
[student@desktop21 ~]$ su - ldapuser1
Password:
Last login: Sat Jun 3 23:24:14 EDT 2017 on pts/1
Last failed login: Sat Jun 3 23:48:07 EDT 2017 on pts/0
There was 1 failed login attempt since the last successful login.
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ cd /mnt/
-bash-4.2$ ls
file1 file2 file3 file4 file5 file6
-bash-4.2$