nfs 以及利用kerberos保护nfs输出

1.nfs概念

1.网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。 
2.NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。

2.nfs服务器配置

若要配置基本NFS服务器,先应该安装nfs-utils软件包。然后,编辑/etc/exports列出通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限 

########1.安装以及配置#########

[root@server4 ~]# yum install nfs-util -y 

[root@server4 ~]# systemctl start nfs-server 

[root@server4 ~]# systemctl enable nfs-server
[root@server4 ~]# systemctl status firewalld
[root@server4 ~]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@server4 ~]# firewall-cmd --permanent --add-service=nfs
success
[root@server4 ~]# firewall-cmd --permanent --add-service=mountd
success
[root@server4 ~]# firewall-cmd --reload
success

############2.建立共享目录#############
[root@server4 ~]# mkdir /public/public   *(sync)

[root@server4 ~]# touch /public/westostest{1..3}
[root@server4 ~]# vim /etc/exports                                     ##man  5  exports
/public    *(sync)                                                                  ##public共享给所有人并且数据同步

[root@server4 ~]# chmod 777 /public
[root@server4 ~]# vim /etc/exports
[root@server4 ~]# exportfs -rv     ##对配置的文件进行刷新，一定不能重启nfs服务，那样会导致服务卡住，这是已知的bug

1
2
3

exporting *:/public
[root@server4 ~]# vim /etc/exports
/public      172.25.4.10/24(sync)                           ##public共享给172.25.4.10/24网段
[root@server4 ~]# exportfs -rv
exporting 172.25.4.10/24:/public
[root@server4 ~]# vim /etc/exports
/public      *.example.com(sync)
[root@server4 ~]# exportfs -rv
exporting *.example.com:/public
[root@server4 ~]# vim /etc/exports
/public      172.25.4.11(rw,sync)
[root@server4 ~]# exportfs -rv
exporting 172.25.4.11:/public
[root@server4 ~]# vim /etc/exports
/public      172.25.4.10(sync)172.25.254.4(rw,sync,no_root_squash)
[root@server4 ~]# exportfs -rv
exporting 172.25.4.10:/public
exporting 172.25.254.4:/public
[root@server4 ~]# vim /etc/exports
/public     *(rync,anonuid=1001,anongid=1000)
[root@server4 ~]# exportfs -rv
exportfs: /etc/exports:1: unknown keyword "rync"

测试：

[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public *
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
[root@desktop4 ~]# cd /mnt
[root@desktop4 mnt]# ls
westostest1  westostest2  westostest3
[root@desktop4 mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[root@desktop4 mnt]# cd
[root@desktop4 ~]# umount /mnt/
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
[root@desktop4 ~]# df
Filesystem          1K-blocks    Used Available Use% Mounted on
/dev/vda1            104739003805844   6668056  37% /
devtmpfs               481120       0   481120   0% /dev
tmpfs                  496708     140   496568   1% /dev/shm
tmpfs                  496708   13152   483556   3% /run
tmpfs                  496708       0   496708   0% /sys/fs/cgroup
/dev/sr0              36547203654720         0 100%/run/media/root/RHEL-7.0 Server.x86_64
172.25.4.11:/public  104739843129472   7344512  30% /mnt
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public 172.25.4.10/24
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public *.example.com
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
[root@desktop4 ~]# df
Filesystem          1K-blocks    Used Available Use% Mounted on
/dev/vda1            104739003805900   6668000 37% /
devtmpfs               481120       0   481120   0% /dev
tmpfs                  496708     140   496568   1% /dev/shm
tmpfs                  496708   13152   483556   3% /run
tmpfs                  496708       0   496708   0% /sys/fs/cgroup
/dev/sr0              36547203654720         0 100%/run/media/root/RHEL-7.0 Server.x86_64
172.25.4.11:/public  104739843129472   7344512  30% /mnt
[root@desktop4 ~]# cd /mnt
[root@desktop4 mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[root@desktop4 ~]# umount /mnt
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public 172.25.4.11
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
mount.nfs: access denied by server while mounting 172.25.4.11:/public
[root@desktop4 ~]# df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda1       10473900 3805848   6668052 37% /
devtmpfs          481120       0   481120   0% /dev
tmpfs             496708     140   496568   1% /dev/shm
tmpfs             496708   13152   483556   3% /run
tmpfs             496708       0   496708   0% /sys/fs/cgroup
/dev/sr0         3654720 3654720         0 100% /run/media/root/RHEL-7.0Server.x86_64
[root@desktop4 ~]# cd /mnt
[root@desktop4 mnt]# touch file
[root@desktop4 mnt]# ls
file

永久挂载：

[root@nfs-client ~]# vim /etc/fstab 

172.25.254.10:/public /mnt nfs defaults 00
################3.利用kerberos保护nfs输出################
[root@server4 ~]# yum install sssd krb5-workstation authconfig-gtk -y
[root@server4 ~]# logout.
[kiosk@foundation4 Desktop]$ ssh root@172.25.254.204 -X              ##开启图形界面

[root@server4 ~]# authconfig-gtk                       ##在server上开启kerberos认证，得到ldap用户
[root@server4 ~]# su - student
[student@server4 ~]$ su - ldapuser1
Password:                                              ##密码为kerberos
Last login: Sat Jun  3 23:09:10 EDT 2017on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1701:krb_ccache_ht7k2SR
Default principal: ldapuser1@EXAMPLE.COM            ##证书

Valid starting       Expires              Service principal
06/03/2017 23:09:43  06/04/201723:09:43 krbtgt/EXAMPLE.COM@EXAMPLE.COM
    renew until 06/03/2017 23:09:43
-bash-4.2$ logout
[student@server4 ~]$ su - root
[root@server4 ~]# ls
anaconda-ks.cfg  Documents  Music    Public     Videos
Desktop          Downloads  Pictures Templates
[root@server4 ~]# wget http://172.25.254.254/pub/keytabs/server4.keytab -O/etc/krb5.keytab
--2017-06-03 23:15:07-- http://172.25.254.254/pub/keytabs/server4.keytab
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1242 (1.2K)
Saving to: ‘/etc/krb5.keytab’

100%[=============================>] 1,242       --.-K/s  in 0s     

2017-06-03 23:15:07 (141 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]

[root@server4 ~]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- -------------------------------------------------------------------------
   1   3     host/server4.example.com@EXAMPLE.COM
   2   3    host/server4.example.com@EXAMPLE.COM
   3   3    host/server4.example.com@EXAMPLE.COM
   4   3    host/server4.example.com@EXAMPLE.COM
   5   3    host/server4.example.com@EXAMPLE.COM
   6   3     host/server4.example.com@EXAMPLE.COM
   7   3    host/server4.example.com@EXAMPLE.COM
   8   3    host/server4.example.com@EXAMPLE.COM
   9   3     nfs/server4.example.com@EXAMPLE.COM
  10   3     nfs/server4.example.com@EXAMPLE.COM
  11   3      nfs/server4.example.com@EXAMPLE.COM
  12   3     nfs/server4.example.com@EXAMPLE.COM
  13   3     nfs/server4.example.com@EXAMPLE.COM
  14   3     nfs/server4.example.com@EXAMPLE.COM
  15   3     nfs/server4.example.com@EXAMPLE.COM
  16   3      nfs/server4.example.com@EXAMPLE.COM
ktutil: 
[root@server4 ~]# systemctl restart nfs-secure-server
[root@server4 ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service''/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server4 ~]# vim /etc/exports
/public      *(rw,sec=krb5p)
[root@server4 ~]# exportfs -rv
exporting *:/public



同理在客户端desktop开启kerberos认证，得到ldap用户

客户端：
[root@desktop4 ~]# systemctl start nfs-secure
[root@desktop4 ~]# systemctl enable nfs-secure
Created symlink from /etc/systemd/system/nfs.target.wants/nfs-secure.service to/usr/lib/systemd/system/nfs-secure.service.
[root@desktop4 ~]# vim /etc/sysconfig/nfs

 13 RPCNFSDARGS="-V 4.2"

[root@desktop4 ~]# systemctl restart nfs

在服务端[root@server4 ~]# systemctl restartnfs-secure-server.service

[root@desktop4 ~]# mount 172.25.4.11:/public /mnt -o sec=krb5p
[root@desktop4 ~]# df
Filesystem          1K-blocks    Used Available Use% Mounted on
/dev/vda1            104739003870748   6603152  37% /
devtmpfs               481120       0   481120   0% /dev
tmpfs                  496708     140   496568   1% /dev/shm
tmpfs                  496708   19332   477376   4% /run
tmpfs                  496708       0   496708   0% /sys/fs/cgroup
/dev/sr0              3654720 3654720         0 100% /run/media/root/RHEL-7.0Server.x86_64
172.25.4.11:/public  104739843188864   7285120  31% /mnt
[root@desktop4 ~]# su - student
Last login: Sat Jun  3 23:22:22 EDT 2017on pts/1
[student@desktop4 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
[student@desktop4 ~]$ cd /mnt
-bash: cd: /mnt: Permission denied
[student@desktop4 ~]$ ls
[root@desktop4 ~]# su - ldapuser1
Last login: Sat Jun  3 23:22:40 EDT 2017on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ cd /mnt
-bash-4.2$ ls
westostest1  westostest2  westostest3