Bo's Oracle Station

查看: 1479|回复: 0

课程第9次

[复制链接]

1005

主题

1469

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
12012
发表于 2019-7-23 20:36:09 | 显示全部楼层 |阅读模式
2019-07-23

RH124 P222:
RHEL7.6已经不存在nfs-secure-server, 而是服务器和客户端都要运行nfs-secure。得出推论:nfs服务器和nfs客户端都同时必须是kerberos服务器的客户端。
  1. [root@instructor etc]# kadmin.local
  2. Authenticating as principal root/admin@EXAMPLE.COM with password.
  3. kadmin.local:  ?
  4. Available kadmin.local requests:

  5. add_principal, addprinc, ank
  6.                          Add principal
  7. delete_principal, delprinc
  8.                          Delete principal
  9. modify_principal, modprinc
  10.                          Modify principal
  11. change_password, cpw     Change password
  12. get_principal, getprinc  Get principal
  13. list_principals, listprincs, get_principals, getprincs
  14.                          List principals
  15. add_policy, addpol       Add policy
  16. modify_policy, modpol    Modify policy
  17. delete_policy, delpol    Delete policy
  18. get_policy, getpol       Get policy
  19. list_policies, listpols, get_policies, getpols
  20.                          List policies
  21. get_privs, getprivs      Get privileges
  22. ktadd, xst               Add entry(s) to a keytab
  23. ktremove, ktrem          Remove entry(s) from a keytab
  24. lock                     Lock database exclusively (use with extreme caution!)
  25. unlock                   Release exclusive database lock
  26. kadmin.local:  list_principals
  27. K/M@EXAMPLE.COM
  28. kadmin/admin@EXAMPLE.COM
  29. kadmin/changepw@EXAMPLE.COM
  30. kadmin/instructor.example.com@EXAMPLE.COM
  31. krbtgt/EXAMPLE.COM@EXAMPLE.COM
  32. ldapuser10@EXAMPLE.COM
  33. ldapuser11@EXAMPLE.COM
  34. ldapuser12@EXAMPLE.COM
  35. ldapuser13@EXAMPLE.COM
  36. ldapuser14@EXAMPLE.COM
  37. ldapuser15@EXAMPLE.COM
  38. ldapuser16@EXAMPLE.COM
  39. ldapuser17@EXAMPLE.COM
  40. ldapuser18@EXAMPLE.COM
  41. ldapuser19@EXAMPLE.COM
  42. ldapuser1@EXAMPLE.COM
  43. ldapuser20@EXAMPLE.COM
  44. ldapuser2@EXAMPLE.COM
  45. ldapuser3@EXAMPLE.COM
  46. ldapuser4@EXAMPLE.COM
  47. ldapuser5@EXAMPLE.COM
  48. ldapuser6@EXAMPLE.COM
  49. ldapuser7@EXAMPLE.COM
  50. ldapuser8@EXAMPLE.COM
  51. ldapuser9@EXAMPLE.COM
  52. kadmin.local:
复制代码
---------------------------------------------------------
  1. kadmin.local:  addpric root/admin
  2. kadmin.local: Unknown request "addpric".  Type "?" for a request list.
  3. kadmin.local:  addprinc root/admin
  4. WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
  5. Enter password for principal "root/admin@EXAMPLE.COM":
  6. Re-enter password for principal "root/admin@EXAMPLE.COM":
  7. Principal "root/admin@EXAMPLE.COM" created.
  8. kadmin.local:  addprinc -randkey host/instructor.example.com
  9. WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaul                                                                             ting to no policy
  10. Principal "host/instructor.example.com@EXAMPLE.COM" created.
  11. kadmin.local:   addprinc -randkey host/desktop3.example.com
  12. WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulti                                                                             ng to no policy
  13. Principal "host/desktop3.example.com@EXAMPLE.COM" created.
  14. kadmin.local:   addprinc -randkey host/server3.example.com
  15. WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaultin                                                                             g to no policy
  16. Principal "host/server3.example.com@EXAMPLE.COM" created.
  17. kadmin.local:  list_principals
  18. K/M@EXAMPLE.COM
  19. host/desktop3.example.com@EXAMPLE.COM
  20. host/instructor.example.com@EXAMPLE.COM
  21. host/server3.example.com@EXAMPLE.COM
  22. kadmin/admin@EXAMPLE.COM
  23. kadmin/changepw@EXAMPLE.COM
  24. kadmin/instructor.example.com@EXAMPLE.COM
  25. krbtgt/EXAMPLE.COM@EXAMPLE.COM
  26. ldapuser10@EXAMPLE.COM
  27. ldapuser11@EXAMPLE.COM
  28. ldapuser12@EXAMPLE.COM
  29. ldapuser13@EXAMPLE.COM
  30. ldapuser14@EXAMPLE.COM
  31. ldapuser15@EXAMPLE.COM
  32. ldapuser16@EXAMPLE.COM
  33. ldapuser17@EXAMPLE.COM
  34. ldapuser18@EXAMPLE.COM
  35. ldapuser19@EXAMPLE.COM
  36. ldapuser1@EXAMPLE.COM
  37. ldapuser20@EXAMPLE.COM
  38. ldapuser2@EXAMPLE.COM
  39. ldapuser3@EXAMPLE.COM
  40. ldapuser4@EXAMPLE.COM
  41. ldapuser5@EXAMPLE.COM
  42. ldapuser6@EXAMPLE.COM
  43. ldapuser7@EXAMPLE.COM
  44. ldapuser8@EXAMPLE.COM
  45. ldapuser9@EXAMPLE.COM
  46. root/admin@EXAMPLE.COM
  47. kadmin.local:
复制代码
-------------------------------------------------------
  1. kadmin.local:   addprinc -randkey  nfs/desktop3.example.com
  2. WARNING: no policy specified for nfs/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
  3. Principal "nfs/desktop3.example.com@EXAMPLE.COM" created.
  4. kadmin.local:   addprinc -randkey nfs/server3.example.com
  5. WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
  6. Principal "nfs/server3.example.com@EXAMPLE.COM" created.
  7. kadmin.local:
  8. kadmin.local:
  9. kadmin.local:  list_principals
  10. K/M@EXAMPLE.COM
  11. host/desktop3.example.com@EXAMPLE.COM
  12. host/instructor.example.com@EXAMPLE.COM
  13. host/server3.example.com@EXAMPLE.COM
  14. kadmin/admin@EXAMPLE.COM
  15. kadmin/changepw@EXAMPLE.COM
  16. kadmin/instructor.example.com@EXAMPLE.COM
  17. krbtgt/EXAMPLE.COM@EXAMPLE.COM
  18. ldapuser10@EXAMPLE.COM
  19. ldapuser11@EXAMPLE.COM
  20. ldapuser12@EXAMPLE.COM
  21. ldapuser13@EXAMPLE.COM
  22. ldapuser14@EXAMPLE.COM
  23. ldapuser15@EXAMPLE.COM
  24. ldapuser16@EXAMPLE.COM
  25. ldapuser17@EXAMPLE.COM
  26. ldapuser18@EXAMPLE.COM
  27. ldapuser19@EXAMPLE.COM
  28. ldapuser1@EXAMPLE.COM
  29. ldapuser20@EXAMPLE.COM
  30. ldapuser2@EXAMPLE.COM
  31. ldapuser3@EXAMPLE.COM
  32. ldapuser4@EXAMPLE.COM
  33. ldapuser5@EXAMPLE.COM
  34. ldapuser6@EXAMPLE.COM
  35. ldapuser7@EXAMPLE.COM
  36. ldapuser8@EXAMPLE.COM
  37. ldapuser9@EXAMPLE.COM
  38. nfs/desktop3.example.com@EXAMPLE.COM
  39. nfs/server3.example.com@EXAMPLE.COM
  40. root/admin@EXAMPLE.COM
  41. kadmin.local:
复制代码
-------------------------------------------------------------------分别生成客户端的keytab和服务器端的keytab:
客户端的:
  1. kadmin.local:  ktadd host/desktop3.example.com
  2. Entry for principal host/desktop3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  3. Entry for principal host/desktop3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  4. Entry for principal host/desktop3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  5. Entry for principal host/desktop3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
  6. Entry for principal host/desktop3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  7. Entry for principal host/desktop3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
  8. kadmin.local:
复制代码
instructor现在的/etc/krb5.keytab
发布它:
  1. [root@instructor etc]# ls -l krb5.keytab
  2. -rw-------. 1 root root 466 Jul 23 21:13 krb5.keytab
  3. [root@instructor etc]# ls -l krb5.*
  4. -rw-r--r--. 1 root root 449 Feb 18  2010 krb5.conf
  5. -rw-r--r--. 1 root root 453 Oct  2  2010 krb5.conf-gls
  6. -rw-------. 1 root root 466 Jul 23 21:13 krb5.keytab
  7. [root@instructor etc]# cp krb5.keytab  /var/ftp/pub/krb5.keytab.client
  8. [root@instructor pub]# chmod 644  krb5.keytab.client
复制代码
服务器端的:
  1. [root@instructor pub]# kadmin.local
  2. Authenticating as principal root/admin@EXAMPLE.COM with password.
  3. kadmin.local:  ktadd host/server3.example.com
  4. Entry for principal host/server3.example.com with kvno 2, encryption type aes256                                                                             -cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  5. Entry for principal host/server3.example.com with kvno 2, encryption type aes128                                                                             -cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  6. Entry for principal host/server3.example.com with kvno 2, encryption type des3-c                                                                             bc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  7. Entry for principal host/server3.example.com with kvno 2, encryption type arcfou                                                                             r-hmac added to keytab WRFILE:/etc/krb5.keytab.
  8. Entry for principal host/server3.example.com with kvno 2, encryption type des-hm                                                                             ac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  9. Entry for principal host/server3.example.com with kvno 2, encryption type des-cb                                                                             c-md5 added to keytab WRFILE:/etc/krb5.keytab.
  10. kadmin.local:  ktadd nfs/server3.example.com
  11. Entry for principal nfs/server3.example.com with kvno 2, encryption type aes256-                                                                             cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  12. Entry for principal nfs/server3.example.com with kvno 2, encryption type aes128-                                                                             cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  13. Entry for principal nfs/server3.example.com with kvno 2, encryption type des3-cb                                                                             c-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  14. Entry for principal nfs/server3.example.com with kvno 2, encryption type arcfour                                                                             -hmac added to keytab WRFILE:/etc/krb5.keytab.
  15. Entry for principal nfs/server3.example.com with kvno 2, encryption type des-hma                                                                             c-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  16. Entry for principal nfs/server3.example.com with kvno 2, encryption type des-cbc                                                                             -md5 added to keytab WRFILE:/etc/krb5.keytab.
  17. kadmin.local:  quit
  18. [root@instructor pub]# cp /etc/krb5.keytab   /var/ftp/pub
  19. [root@instructor pub]# chmod 644 /var/ftp/pub/krb5.keytab
  20. [root@instructor pub]# mv /var/ftp/pub/krb5.keytab  /var/ftp/pub/krb5.keytab.ser                                                                             ver
  21. [root@instructor pub]#
复制代码
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root@desktop3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: inactive (dead)
Condition: start condition failed at Tue 2019-07-23 19:57:28 CST; 1h 44min ago
           ConditionPathExists=/etc/krb5.keytab was not met
[root@desktop3 ~]# systemctl restart nfs-secure
[root@desktop3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Tue 2019-07-23 21:42:24 CST; 3s ago
  Process: 10538 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 10539 (rpc.gssd)
    Tasks: 1
   CGroup: /system.slice/rpc-gssd.service
           └─10539 /usr/sbin/rpc.gssd

Jul 23 21:42:24 desktop3.example.com systemd[1]: Starting RPC security service for NFS client and server...
Jul 23 21:42:24 desktop3.example.com systemd[1]: Started RPC security service for NFS client and server.
[root@desktop3 ~]#

-----------------------------------------
[root@server3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: inactive (dead)
Condition: start condition failed at Tue 2019-07-23 09:50:59 CST; 11h ago
[root@server3 ~]# systemctl restart nfs-secure
[root@server3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
   Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
   Active: active (running) since Tue 2019-07-23 21:44:21 CST; 5s ago
  Process: 29001 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 29002 (rpc.gssd)
    Tasks: 1
   CGroup: /system.slice/rpc-gssd.service
           └─29002 /usr/sbin/rpc.gssd

Jul 23 21:44:21 server3.example.com systemd[1]: Starting RPC security service for NFS client and server...
Jul 23 21:44:21 server3.example.com systemd[1]: Started RPC security service for NFS client and server.

----------------------------------------------------------------------------------配置自动挂载选项:
  1. [root@desktop3 ~]# cd /etc
  2. [root@desktop3 etc]# vim  auto.guests
复制代码
  1. [root@desktop3 etc]# vim  auto.guests
  2. #
  3. # This is an automounter map and it has the following format
  4. # key [ -mount-options-separated-by-comma ] location
  5. # Details may be found in the autofs(5) manpage

  6. *               -rw,soft,intr,sec=krb5p,v4.2 192.168.0.103:/rhosts/&

  7. # the following entries are samples to pique your imagination
  8. #linux          -ro,soft,intr           ftp.example.org:/pub/linux
  9. #boot           -fstype=ext2            :/dev/hda1
  10. #floppy         -fstype=auto            :/dev/fd0
  11. #floppy         -fstype=ext2            :/dev/fd0
  12. #e2floppy       -fstype=ext2            :/dev/fd0
  13. #jaz            -fstype=ext2            :/dev/sdc1
复制代码

----------------V4.2/etc/sysconfig/nfs:
  1. #
  2. # Note: For new values to take effect the nfs-config service
  3. # has to be restarted with the following command:
  4. #    systemctl restart nfs-config
  5. #
  6. # Optional arguments passed to in-kernel lockd
  7. #LOCKDARG=
  8. # TCP port rpc.lockd should listen on.
  9. #LOCKD_TCPPORT=32803
  10. # UDP port rpc.lockd should listen on.
  11. #LOCKD_UDPPORT=32769
  12. #
  13. # Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
  14. RPCNFSDARGS="-V 4.2"
  15. # Number of nfs server processes to be started.
  16. # The default is 8.
复制代码
/etc/exports:
  1. /rhosts   192.168.0.0/255.255.255.0(rw,sync,sec=krb5p)
复制代码






回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|Bo's Oracle Station   

GMT+8, 2024-12-4 16:28 , Processed in 0.041327 second(s), 25 queries .

快速回复 返回顶部 返回列表