(五)nfs 服务
任务描述:请采用 nfs,实现共享资源的安全访问。 1.配置 linux2 为 kdc 服务器,负责 linux3 和 linux4 的验证。 2.在 linux3 上,创建用户,用户名为 xiao,uid=2000,gid=2000,家目录为/home/xiaodir。 3.配置 linux3 为 nfs 服务器,目录/srv/sharenfs 的共享要求为:linux 服务器所在网络用户有读写权限,所有用户映射为 xiao,kdc 加密方式为 krb5p。 4.配置 linux4 为 nfs 客户端,利用 autofs 按需挂载 linux3 上的/srv/sharenfs 到/sharenfs 目录,挂载成功后在该目录创建 test 目录。
linux2的配置
#linux2安装服务 yum install -y krb5* #在linux2,linux3,linux4的/etc/hosts 里添加三台主机的ip及机器名 vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.120.103 linux3.skills.com 10.10.120.104 linux4.skills.com 10.10.120.102 linux2.skills.com #在linux2上编辑主配置文件(vim /etc/krb5.conf),将里面所有的EXAMPLE.COM改成自己的域名 vim /etc/krb5.conf # To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = SKILLS.COM #取消注释并修改域名SKILLS.COM default_ccache_name = KEYRING:persistent:%{uid} [realms]#取消注释并修改域名SKILLS.COM 以及linux2.skills.com SKILLS.COM = { kdc = linux2.skills.com admin_server = linux2.skills.com } [domain_realm]#取消注释并修改域名SKILLS.COM 以及skills.com .skills.com = SKILLS.COM skills.com = SKILLS.COM #修改/var/kerberos/krb5kdc/kadm5.acl,将EXAMPLE.COM改成自己的域名. vim /var/kerberos/krb5kdc/kadm5.acl */admin@SKILLS.COM * #初始化kdc 数据库 [root@linux2 ~]# kdb5_util create -s #需要输入秘钥 可以写成 Skills39 Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SKILLS.COM', master key name 'K/M@SKILLS.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: #重启服务 [root@linux2 ~]# systemctl restart krb5kdc kadmin [root@linux2 ~]# systemctl enable krb5kdc kadmin Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service. Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service. [root@linux2 ~]# #登录Kerberos Server服务 root免密登陆kadmin.local,并创建填加Kerberos用户,随机生成一个值作为三太节点的key,并下载主服务器的key. [root@linux2 ~]# kadmin.local Authenticating as principal root/admin@SKILLS.COM with password. kadmin.local: kadmin.local: 123456 kadmin.local: Unknown request "123456". Type "?" for a request list. kadmin.local: kadmin.local: addprinc root/admin #输入密码 Skills39 No policy specified for root/admin@SKILLS.COM; defaulting to no policy Enter password for principal "root/admin@SKILLS.COM": Re-enter password for principal "root/admin@SKILLS.COM": Principal "root/admin@SKILLS.COM" created. kadmin.local: addprinc -randkey "nfs/linux2.skills.com" No policy specified for nfs/linux2.skills.com@SKILLS.COM; defaulting to no policy Principal "nfs/linux2.skills.com@SKILLS.COM" created. kadmin.local: addprinc -randkey "nfs/linux3.skills.com" No policy specified for nfs/linux3.skills.com@SKILLS.COM; defaulting to no policy Principal "nfs/linux3.skills.com@SKILLS.COM" created. kadmin.local: addprinc -randkey "nfs/linux4.skills.com" No policy specified for nfs/linux4.skills.com@SKILLS.COM; defaulting to no policy Principal "nfs/linux4.skills.com@SKILLS.COM" created. kadmin.local: ktadd nfs/linux2.skills.com Entry for principal nfs/linux2.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal nfs/linux2.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. kadmin.local: #可以用listprincs查看创建的key kadmin.local: listprincs K/M@SKILLS.COM kadmin/admin@SKILLS.COM kadmin/changepw@SKILLS.COM kadmin/linux2@SKILLS.COM kiprop/linux2@SKILLS.COM krbtgt/SKILLS.COM@SKILLS.COM nfs/linux2.skills.com@SKILLS.COM nfs/linux3.skills.com@SKILLS.COM nfs/linux4.skills.com@SKILLS.COM root/admin@SKILLS.COM kadmin.local: #到这主服务器配置完成。
linux3的配置:
#创建xiao的用户 [root@linux3 ~]# useradd -u 2000 -d /home/xiaodir xiao [root@linux3 ~]# id xiao uid=2000(xiao) gid=2000(xiao) groups=2000(xiao) #安装 kerbos服务及nfs服务 [root@linux3 ~]# yum install krb5-workstation.x86_64 nfs-utils.x86_64 -y #查看所需要的包 rpm -qa |grep -E "nfs-utils|rpcbind" #编辑主配置文件(vim /etc/krb5.conf),将里面所有的EXAMPLE.COM改成自己的域名 [root@linux3 ~]# vim /etc/krb5.conf # To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = SKILLS.COM #取消注释并修改域名SKILLS.COM default_ccache_name = KEYRING:persistent:%{uid} [realms]#取消注释并修改域名SKILLS.COM 以及linux2.skills.com SKILLS.COM = { kdc = linux2.skills.com admin_server = linux2.skills.com } [domain_realm]#取消注释并修改域名SKILLS.COM 以及skills.com .skills.com = SKILLS.COM skills.com = SKILLS.COM #密码登陆kdc数据库下载key(kadmin) 需要输入密码 这里的密码为上面设置的Skills39 [root@linux3 ~]# kadmin Authenticating as principal root/admin@SKILLS.COM with password. Password for root/admin@SKILLS.COM: kadmin: ktadd nfs/linux3.skills.com Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. kadmin: #创建一个需要krb5p加密访问的nfs挂载文件 mkdir /srv/sharenfs #去配置 nfs 服务器 [root@linux3 ~]# vim /etc/exports /srv/sharenfs *(rw,anonuid=2000,sec=krb5p) [root@linux3 ~]# exportfs -rv #激活配置 #查看挂载点 [root@linux3 ~]# showmount -e 10.10.120.103 Export list for 10.10.120.103: /srv/sharenfs *
linux4的配置:
#安装 kerbos服务及nfs服务 [root@linux4 ~]# yum install krb5-workstation.x86_64 nfs-utils.x86_64 -y #开启nfs服务 systemctl restart nfs-server.service systemctl enable nfs-server.service #编辑主配置文件(vim /etc/krb5.conf),将里面所有的EXAMPLE.COM改成自己的域名 [root@linux4 ~]# vim /etc/krb5.conf # To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = SKILLS.COM #取消注释并修改域名SKILLS.COM default_ccache_name = KEYRING:persistent:%{uid} [realms]#取消注释并修改域名SKILLS.COM 以及linux2.skills.com SKILLS.COM = { kdc = linux2.skills.com admin_server = linux2.skills.com } [domain_realm]#取消注释并修改域名SKILLS.COM 以及skills.com .skills.com = SKILLS.COM skills.com = SKILLS.COM #密码登陆kdc数据库下载key(kadmin) 需要输入密码 这里的密码为上面设置的Skills39 [root@linux3 ~]# kadmin Authenticating as principal root/admin@SKILLS.COM with password. Password for root/admin@SKILLS.COM: kadmin: ktadd nfs/linux4.skills.com Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. kadmin: #创建挂载目录 mkdir /sharenfs #安装 autofs服务 yum install autofs.x86_64 -y #修改anto的主配置文件 添加内容: vim /etc/auto.master /sharenfs /etc/auto.nfs #修改anto的子文件 添加内容 : vim /etc/auto.nfs sharenfs -fstype=nfs,rw,sync 10.10.120.103:/srv/sharenfs #重启anto,以及开机自启服务 systemctl restart autofs.service systemctl enable autofs.service #mount 挂载的方法: mount -t nfs 10.10.120.103:/srv/sharenfs /sharenfs
测试:
#linux4 在/sharenfs 中创建文件 test #只有当切换到 sharenfs 目录时才会触发 autofs 自动挂载。 [root@linux4 sharenfs]# ls -lh //进入顶级目录下,此时无法查看到 users 目录。 total 0 [root@linux4 sharenfs]# cd sharenfs //只有当切换到 sharenfs 目录时才会触发 autofs 自动挂载。 [root@linux4 sharenfs]# touch test [root@linux4 sharenfs]# pwd /sharenfs/sharenfs [root@linux4 sharenfs]# [root@linux4 sharenfs]# df -Th 查看挂载状态 Filesystem Type Size Used Avail Use% Mounted on devtmpfs devtmpfs 370M 0 370M 0% /dev tmpfs tmpfs 389M 0 389M 0% /dev/shm tmpfs tmpfs 389M 5.6M 384M 2% /run tmpfs tmpfs 389M 0 389M 0% /sys/fs/cgroup /dev/mapper/rl-root xfs 37G 2.4G 35G 7% / /dev/sda1 xfs 1014M 210M 805M 21% /boot tmpfs tmpfs 78M 0 78M 0% /run/user/0 10.10.120.103:/srv/sharenfs nfs4 37G 2.5G 35G 7% /sharenfs/sharenfs ##linux3 查看文件是属性 : [root@linux3 ~]# ls -la /srv/sharenfs/ total 0 drwxrwxrwx 2 root root 18 Nov 13 01:28 . drwxr-xr-x. 3 root root 22 Nov 13 00:20 .. -rw-r--r-- 1 xiao nobody 0 Nov 13 01:28 test [root@linux3 ~]#