2022国赛正式题NFS解题方法

最新推荐文章于 2023-02-27 20:24:54 发布

A Flag

最新推荐文章于 2023-02-27 20:24:54 发布

阅读量1.3k

点赞数 8

文章标签：服务器 linux 运维

本文链接：https://blog.csdn.net/tengda521/article/details/127823325

版权

(五)nfs 服务

任务描述：请采用 nfs，实现共享资源的安全访问。
1.配置 linux2 为 kdc 服务器，负责 linux3 和 linux4 的验证。
2.在 linux3 上，创建用户，用户名为 xiao，uid=2000，gid=2000，家目录为/home/xiaodir。
3.配置 linux3 为 nfs 服务器，目录/srv/sharenfs 的共享要求为：linux 服务器所在网络用户有读写权限，所有用户映射为 xiao，kdc 加密方式为 krb5p。
4.配置 linux4 为 nfs 客户端，利用 autofs 按需挂载 linux3 上的/srv/sharenfs 到/sharenfs 目录，挂载成功后在该目录创建 test 目录。

linux2的配置

#linux2安装服务
yum install -y krb5* 
#在linux2，linux3，linux4的/etc/hosts 里添加三台主机的ip及机器名
vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 10.10.120.103 linux3.skills.com
 10.10.120.104 linux4.skills.com
 10.10.120.102 linux2.skills.com
#在linux2上编辑主配置文件(vim /etc/krb5.conf),将里面所有的EXAMPLE.COM改成自己的域名
vim /etc/krb5.conf

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = SKILLS.COM      #取消注释并修改域名SKILLS.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]#取消注释并修改域名SKILLS.COM 以及linux2.skills.com
 SKILLS.COM = {
     kdc = linux2.skills.com
     admin_server = linux2.skills.com
 }

[domain_realm]#取消注释并修改域名SKILLS.COM 以及skills.com
 .skills.com = SKILLS.COM
 skills.com = SKILLS.COM

#修改/var/kerberos/krb5kdc/kadm5.acl,将EXAMPLE.COM改成自己的域名.
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@SKILLS.COM      *
#初始化kdc 数据库
[root@linux2 ~]# kdb5_util create -s #需要输入秘钥 可以写成 Skills39
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SKILLS.COM',
master key name 'K/M@SKILLS.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
#重启服务
[root@linux2 ~]# systemctl restart krb5kdc kadmin
[root@linux2 ~]# systemctl enable krb5kdc kadmin
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.
[root@linux2 ~]# 
#登录Kerberos Server服务 root免密登陆kadmin.local,并创建填加Kerberos用户,随机生成一个值作为三太节点的key，并下载主服务器的key.
[root@linux2 ~]# kadmin.local 
Authenticating as principal root/admin@SKILLS.COM with password.
kadmin.local:  
kadmin.local:  123456
kadmin.local: Unknown request "123456".  Type "?" for a request list.
kadmin.local:  
kadmin.local:  addprinc root/admin  #输入密码 Skills39
No policy specified for root/admin@SKILLS.COM; defaulting to no policy
Enter password for principal "root/admin@SKILLS.COM": 
Re-enter password for principal "root/admin@SKILLS.COM": 
Principal "root/admin@SKILLS.COM" created.
kadmin.local:  addprinc -randkey "nfs/linux2.skills.com"
No policy specified for nfs/linux2.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/linux2.skills.com@SKILLS.COM" created.
kadmin.local:  addprinc -randkey "nfs/linux3.skills.com"
No policy specified for nfs/linux3.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/linux3.skills.com@SKILLS.COM" created.
kadmin.local:  addprinc -randkey "nfs/linux4.skills.com"
No policy specified for nfs/linux4.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/linux4.skills.com@SKILLS.COM" created.
kadmin.local:  ktadd nfs/linux2.skills.com
Entry for principal nfs/linux2.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/linux2.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:

#可以用listprincs查看创建的key
kadmin.local:  listprincs   
K/M@SKILLS.COM
kadmin/admin@SKILLS.COM
kadmin/changepw@SKILLS.COM
kadmin/linux2@SKILLS.COM
kiprop/linux2@SKILLS.COM
krbtgt/SKILLS.COM@SKILLS.COM
nfs/linux2.skills.com@SKILLS.COM
nfs/linux3.skills.com@SKILLS.COM
nfs/linux4.skills.com@SKILLS.COM
root/admin@SKILLS.COM
kadmin.local:  
#到这主服务器配置完成。

linux3的配置：

#创建xiao的用户
[root@linux3 ~]# useradd -u 2000 -d /home/xiaodir xiao
[root@linux3 ~]# id xiao
uid=2000(xiao) gid=2000(xiao) groups=2000(xiao)
#安装 kerbos服务及nfs服务
[root@linux3 ~]#  yum install krb5-workstation.x86_64  nfs-utils.x86_64 -y
#查看所需要的包 rpm -qa |grep -E "nfs-utils|rpcbind"
#编辑主配置文件(vim /etc/krb5.conf),将里面所有的EXAMPLE.COM改成自己的域名
[root@linux3 ~]#  vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = SKILLS.COM      #取消注释并修改域名SKILLS.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]#取消注释并修改域名SKILLS.COM 以及linux2.skills.com
 SKILLS.COM = {
     kdc = linux2.skills.com
     admin_server = linux2.skills.com
 }

[domain_realm]#取消注释并修改域名SKILLS.COM 以及skills.com
 .skills.com = SKILLS.COM
 skills.com = SKILLS.COM

#密码登陆kdc数据库下载key(kadmin) 需要输入密码 这里的密码为上面设置的Skills39
[root@linux3 ~]# kadmin 
Authenticating as principal root/admin@SKILLS.COM with password.
Password for root/admin@SKILLS.COM: 
kadmin:  ktadd nfs/linux3.skills.com
Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
kadmin:  

#创建一个需要krb5p加密访问的nfs挂载文件
mkdir /srv/sharenfs
#去配置 nfs 服务器
[root@linux3 ~]#  vim /etc/exports
/srv/sharenfs   *(rw,anonuid=2000,sec=krb5p)
[root@linux3 ~]#  exportfs -rv #激活配置

#查看挂载点
[root@linux3 ~]#  showmount -e 10.10.120.103
Export list for 10.10.120.103:
/srv/sharenfs *

linux4的配置：

#安装 kerbos服务及nfs服务
[root@linux4 ~]#  yum install krb5-workstation.x86_64  nfs-utils.x86_64 -y
#开启nfs服务
systemctl restart nfs-server.service
systemctl enable nfs-server.service 
#编辑主配置文件(vim /etc/krb5.conf),将里面所有的EXAMPLE.COM改成自己的域名
[root@linux4 ~]#  vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = SKILLS.COM      #取消注释并修改域名SKILLS.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]#取消注释并修改域名SKILLS.COM 以及linux2.skills.com
 SKILLS.COM = {
     kdc = linux2.skills.com
     admin_server = linux2.skills.com
 }

[domain_realm]#取消注释并修改域名SKILLS.COM 以及skills.com
 .skills.com = SKILLS.COM
 skills.com = SKILLS.COM
 
#密码登陆kdc数据库下载key(kadmin) 需要输入密码 这里的密码为上面设置的Skills39
[root@linux3 ~]# kadmin 
Authenticating as principal root/admin@SKILLS.COM with password.
Password for root/admin@SKILLS.COM: 
kadmin:  ktadd nfs/linux4.skills.com
Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal root/admin@SKILLS.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
kadmin:  
#创建挂载目录
 mkdir /sharenfs
#安装 autofs服务
 yum install autofs.x86_64  -y
#修改anto的主配置文件 添加内容：
 vim /etc/auto.master
 /sharenfs       /etc/auto.nfs
#修改anto的子文件 添加内容 :
vim /etc/auto.nfs
sharenfs        -fstype=nfs,rw,sync          10.10.120.103:/srv/sharenfs
#重启anto，以及开机自启服务 
systemctl restart autofs.service
systemctl enable autofs.service 

#mount 挂载的方法：
mount -t nfs 10.10.120.103:/srv/sharenfs /sharenfs

测试：

#linux4 在/sharenfs 中创建文件 test
#只有当切换到 sharenfs 目录时才会触发 autofs 自动挂载。
[root@linux4 sharenfs]# ls -lh   //进入顶级目录下，此时无法查看到 users 目录。
total 0
[root@linux4 sharenfs]# cd sharenfs //只有当切换到 sharenfs 目录时才会触发 autofs 自动挂载。
[root@linux4 sharenfs]# touch test
[root@linux4 sharenfs]# pwd
/sharenfs/sharenfs
[root@linux4 sharenfs]# 
[root@linux4 sharenfs]# df -Th  查看挂载状态
Filesystem                  Type      Size  Used Avail Use% Mounted on
devtmpfs                    devtmpfs  370M     0  370M   0% /dev
tmpfs                       tmpfs     389M     0  389M   0% /dev/shm
tmpfs                       tmpfs     389M  5.6M  384M   2% /run
tmpfs                       tmpfs     389M     0  389M   0% /sys/fs/cgroup
/dev/mapper/rl-root         xfs        37G  2.4G   35G   7% /
/dev/sda1                   xfs      1014M  210M  805M  21% /boot
tmpfs                       tmpfs      78M     0   78M   0% /run/user/0
10.10.120.103:/srv/sharenfs nfs4       37G  2.5G   35G   7% /sharenfs/sharenfs

##linux3 查看文件是属性 ：
[root@linux3 ~]# ls -la /srv/sharenfs/
total 0
drwxrwxrwx  2 root root   18 Nov 13 01:28 .
drwxr-xr-x. 3 root root   22 Nov 13 00:20 ..
-rw-r--r--  1 xiao nobody  0 Nov 13 01:28 test
[root@linux3 ~]#

A Flag

关注

8
点赞
踩
16

收藏

觉得还不错? 一键收藏
1
评论
2022国赛正式题NFS解题方法

任务描述：请采用 nfs，实现共享资源的安全访问。1.配置 linux2 为 kdc 服务器，负责 linux3 和 linux4 的验证。2.在 linux3 上，创建用户，用户名为 xiao，uid=2000，gid=2000，家目录为/home/xiaodir。3.配置 linux3 为 nfs 服务器，目录/srv/sharenfs 的共享要求为：linux 服务器所在网络用户有读写权限，所有用户映射为 xiao，kdc 加密方式为 krb5p。
复制链接

扫一扫