课程第8次

botang · 发表于 2019-7-21 20:45:20

2019-07-21
为什么LDAP基础节点叫"dc=example, dc=com"

[root@instructor openldap]# grep -r 'dc=example' ./
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/slapd.d-glsorig/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/slapd.d-glsorig/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d-glsorig/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./slapd.d/cn=config/olcDatabase={1}bdb.ldif:olcSuffix: dc=example,dc=com
./ldap.conf:#BASE dc=example,dc=com
[root@instructor openldap]# pwd
/etc/openldap

复制代码

为什么kerberos的验证域叫“EXAMPLE.COM”:

[root@instructor etc]# vim krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
~

复制代码

密码为什么是“kerberos”?
/root/bin/gls-setup-krb5

#!/bin/bash
#
# krb5script
# Bowe Strickland <bowe@redhat.com>
# version 1.0: 2010-09-23. Initial release.
#
# Sets up instructor.example.com to act as a kerberos server. Fortunately,
# we're serving the EXAMPLE.COM domain, so many (all?) config files can be left
# at their default settings.
#set -x
# no spaces/metachars please...
MASTERPW=not_a_good_idea
USERPW=kerberos
if [ "$1" = "--reverse" ]; then
/sbin/service krb5kdc stop
/sbin/chkconfig krb5kdc off
/usr/sbin/kdb5_util destroy -f
rm -f /var/kerberos/krb5kdc/.k5.EXAMPLE.COM
else
/usr/sbin/kdb5_util create -P "$MASTERPW" -s
for i in $(seq 20); do
UNAME=$(printf ldapuser%d $i)
echo "add_principal -pw $USERPW $UNAME" | kadmin.local
done
# don't immediately start service.
# /sbin/service krb5kdc start
/sbin/chkconfig krb5kdc on
fi

复制代码

为什么家目录是"/home/guests/ldapuserX" ?
[root@desktop3 ~]# getent passwd ldapuser8
ldapuser8:*:1708:1708

DAP Test User 8:/home/guests/ldapuser8:/bin/bash
/root/ldif/people.ldif:

dn: uid=ldapuser1,ou=People,dc=example,dc=com
uid: ldapuser1
cn: LDAP Test User 1
givenName: LDAP Test User
sn: 1
mail: ldapuser1@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}2RxVB3Cb+JZxqLDD4EucbGKEew9bhXNB
shadowLastChange: 12797
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1701
gidNumber: 1701
homeDirectory: /home/guests/ldapuser1
gecos: LDAP Test User 1

复制代码

------------------------------------------------------------------------------------------------------------
让server3 来做NFS服务器，故意做不对称的：

/rhosts/ldapuser*

mkdir /rhosts
for i in {1..20}
do
  mkdir /rhosts/ldapuser$i
  cp -a /etc/skel/.[!.]*  /rhosts/ldapuser$i
  chown -R $[ 1700 + $i ]

[ 1700 + $i ] /rhosts/ldapuser$i
done

如果desktop3.example.com运行showmount -e server3.example.com报错的话，是因为server3.example.com上面firewall-config没有打开mountd/nfs/nfs3/rpcbind