课程第9次

botang · 发表于 2019-7-23 20:36:09

2019-07-23

RH124 P222：
RHEL7.6已经不存在nfs-secure-server，而是服务器和客户端都要运行nfs-secure。得出推论：nfs服务器和nfs客户端都同时必须是kerberos服务器的客户端。

[root@instructor etc]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: ?
Available kadmin.local requests:
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
kadmin.local: list_principals
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldapuser10@EXAMPLE.COM
ldapuser11@EXAMPLE.COM
ldapuser12@EXAMPLE.COM
ldapuser13@EXAMPLE.COM
ldapuser14@EXAMPLE.COM
ldapuser15@EXAMPLE.COM
ldapuser16@EXAMPLE.COM
ldapuser17@EXAMPLE.COM
ldapuser18@EXAMPLE.COM
ldapuser19@EXAMPLE.COM
ldapuser1@EXAMPLE.COM
ldapuser20@EXAMPLE.COM
ldapuser2@EXAMPLE.COM
ldapuser3@EXAMPLE.COM
ldapuser4@EXAMPLE.COM
ldapuser5@EXAMPLE.COM
ldapuser6@EXAMPLE.COM
ldapuser7@EXAMPLE.COM
ldapuser8@EXAMPLE.COM
ldapuser9@EXAMPLE.COM
kadmin.local:

复制代码

---------------------------------------------------------

kadmin.local: addpric root/admin
kadmin.local: Unknown request "addpric". Type "?" for a request list.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey host/instructor.example.com
WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaul ting to no policy
Principal "host/instructor.example.com@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey host/desktop3.example.com
WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulti ng to no policy
Principal "host/desktop3.example.com@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey host/server3.example.com
WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaultin g to no policy
Principal "host/server3.example.com@EXAMPLE.COM" created.
kadmin.local: list_principals
K/M@EXAMPLE.COM
host/desktop3.example.com@EXAMPLE.COM
host/instructor.example.com@EXAMPLE.COM
host/server3.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldapuser10@EXAMPLE.COM
ldapuser11@EXAMPLE.COM
ldapuser12@EXAMPLE.COM
ldapuser13@EXAMPLE.COM
ldapuser14@EXAMPLE.COM
ldapuser15@EXAMPLE.COM
ldapuser16@EXAMPLE.COM
ldapuser17@EXAMPLE.COM
ldapuser18@EXAMPLE.COM
ldapuser19@EXAMPLE.COM
ldapuser1@EXAMPLE.COM
ldapuser20@EXAMPLE.COM
ldapuser2@EXAMPLE.COM
ldapuser3@EXAMPLE.COM
ldapuser4@EXAMPLE.COM
ldapuser5@EXAMPLE.COM
ldapuser6@EXAMPLE.COM
ldapuser7@EXAMPLE.COM
ldapuser8@EXAMPLE.COM
ldapuser9@EXAMPLE.COM
root/admin@EXAMPLE.COM
kadmin.local:

复制代码

-------------------------------------------------------

kadmin.local: addprinc -randkey nfs/desktop3.example.com
WARNING: no policy specified for nfs/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/desktop3.example.com@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey nfs/server3.example.com
WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/server3.example.com@EXAMPLE.COM" created.
kadmin.local:
kadmin.local:
kadmin.local: list_principals
K/M@EXAMPLE.COM
host/desktop3.example.com@EXAMPLE.COM
host/instructor.example.com@EXAMPLE.COM
host/server3.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldapuser10@EXAMPLE.COM
ldapuser11@EXAMPLE.COM
ldapuser12@EXAMPLE.COM
ldapuser13@EXAMPLE.COM
ldapuser14@EXAMPLE.COM
ldapuser15@EXAMPLE.COM
ldapuser16@EXAMPLE.COM
ldapuser17@EXAMPLE.COM
ldapuser18@EXAMPLE.COM
ldapuser19@EXAMPLE.COM
ldapuser1@EXAMPLE.COM
ldapuser20@EXAMPLE.COM
ldapuser2@EXAMPLE.COM
ldapuser3@EXAMPLE.COM
ldapuser4@EXAMPLE.COM
ldapuser5@EXAMPLE.COM
ldapuser6@EXAMPLE.COM
ldapuser7@EXAMPLE.COM
ldapuser8@EXAMPLE.COM
ldapuser9@EXAMPLE.COM
nfs/desktop3.example.com@EXAMPLE.COM
nfs/server3.example.com@EXAMPLE.COM
root/admin@EXAMPLE.COM
kadmin.local:

复制代码

-------------------------------------------------------------------分别生成客户端的keytab和服务器端的keytab：
客户端的：

kadmin.local: ktadd host/desktop3.example.com
Entry for principal host/desktop3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:

复制代码

instructor现在的/etc/krb5.keytab
发布它：

[root@instructor etc]# ls -l krb5.keytab
-rw-------. 1 root root 466 Jul 23 21:13 krb5.keytab
[root@instructor etc]# ls -l krb5.*
-rw-r--r--. 1 root root 449 Feb 18 2010 krb5.conf
-rw-r--r--. 1 root root 453 Oct 2 2010 krb5.conf-gls
-rw-------. 1 root root 466 Jul 23 21:13 krb5.keytab
[root@instructor etc]# cp krb5.keytab /var/ftp/pub/krb5.keytab.client
[root@instructor pub]# chmod 644 krb5.keytab.client

复制代码

服务器端的：

[root@instructor pub]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: ktadd host/server3.example.com
Entry for principal host/server3.example.com with kvno 2, encryption type aes256 -cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type aes128 -cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type des3-c bc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type arcfou r-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type des-hm ac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type des-cb c-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local: ktadd nfs/server3.example.com
Entry for principal nfs/server3.example.com with kvno 2, encryption type aes256- cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type aes128- cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type des3-cb c-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type arcfour -hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type des-hma c-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type des-cbc -md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local: quit
[root@instructor pub]# cp /etc/krb5.keytab /var/ftp/pub
[root@instructor pub]# chmod 644 /var/ftp/pub/krb5.keytab
[root@instructor pub]# mv /var/ftp/pub/krb5.keytab /var/ftp/pub/krb5.keytab.ser ver
[root@instructor pub]#

复制代码

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root@desktop3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Tue 2019-07-23 19:57:28 CST; 1h 44min ago
         ConditionPathExists=/etc/krb5.keytab was not met
[root@desktop3 ~]# systemctl restart nfs-secure
[root@desktop3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
Active: active (running) since Tue 2019-07-23 21:42:24 CST; 3s ago
  Process: 10538 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 10539 (rpc.gssd)
Tasks: 1
CGroup: /system.slice/rpc-gssd.service
         └─10539 /usr/sbin/rpc.gssd

Jul 23 21:42:24 desktop3.example.com systemd[1]: Starting RPC security service for NFS client and server...
Jul 23 21:42:24 desktop3.example.com systemd[1]: Started RPC security service for NFS client and server.
[root@desktop3 ~]#

-----------------------------------------
[root@server3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
Active: inactive (dead)
Condition: start condition failed at Tue 2019-07-23 09:50:59 CST; 11h ago
[root@server3 ~]# systemctl restart nfs-secure
[root@server3 ~]# systemctl status nfs-secure
● rpc-gssd.service - RPC security service for NFS client and server
Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
Active: active (running) since Tue 2019-07-23 21:44:21 CST; 5s ago
  Process: 29001 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
Main PID: 29002 (rpc.gssd)
Tasks: 1
CGroup: /system.slice/rpc-gssd.service
         └─29002 /usr/sbin/rpc.gssd

Jul 23 21:44:21 server3.example.com systemd[1]: Starting RPC security service for NFS client and server...
Jul 23 21:44:21 server3.example.com systemd[1]: Started RPC security service for NFS client and server.

----------------------------------------------------------------------------------配置自动挂载选项：

[root@desktop3 ~]# cd /etc
[root@desktop3 etc]# vim auto.guests

复制代码

[root@desktop3 etc]# vim auto.guests
#
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# Details may be found in the autofs(5) manpage
* -rw,soft,intr,sec=krb5p，v4.2 192.168.0.103:/rhosts/&
# the following entries are samples to pique your imagination
#linux -ro,soft,intr ftp.example.org:/pub/linux
#boot -fstype=ext2 :/dev/hda1
#floppy -fstype=auto :/dev/fd0
#floppy -fstype=ext2 :/dev/fd0
#e2floppy -fstype=ext2 :/dev/fd0
#jaz -fstype=ext2 :/dev/sdc1

复制代码

----------------V4.2/etc/sysconfig/nfs:

#
# Note: For new values to take effect the nfs-config service
# has to be restarted with the following command:
# systemctl restart nfs-config
#
# Optional arguments passed to in-kernel lockd
#LOCKDARG=
# TCP port rpc.lockd should listen on.
#LOCKD_TCPPORT=32803
# UDP port rpc.lockd should listen on.
#LOCKD_UDPPORT=32769
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
RPCNFSDARGS="-V 4.2"
# Number of nfs server processes to be started.
# The default is 8.

复制代码

/etc/exports:

/rhosts 192.168.0.0/255.255.255.0(rw,sync,sec=krb5p)

复制代码