nfs 以及利用kerberos保护nfs输出
来源:互联网 发布:淘宝恶意退款卖家报警 编辑:程序博客网 时间:2024/06/07 21:12
1.nfs概念
1.网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。
2.NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。
2.nfs服务器配置
若要配置基本NFS服务器,先应该安装nfs-utils软件包。然后,编辑/etc/exports列出通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限
########1.安装以及配置#########
[root@server4 ~]# yum install nfs-util -y
[root@server4 ~]# systemctl start nfs-server
[root@server4 ~]# systemctl enable nfs-server
[root@server4 ~]# systemctl status firewalld
[root@server4 ~]# firewall-cmd --permanent --add-service=rpc-bind
success
[root@server4 ~]# firewall-cmd --permanent --add-service=nfs
success
[root@server4 ~]# firewall-cmd --permanent --add-service=mountd
success
[root@server4 ~]# firewall-cmd --reload
success
############2.建立共享目录#############
[root@server4 ~]# mkdir /public/public *(sync)
[root@server4 ~]# touch /public/westostest{1..3}
[root@server4 ~]# vim /etc/exports ##man 5 exports
/public *(sync) ##public共享给所有人并且数据同步
[root@server4 ~]# chmod 777 /public
[root@server4 ~]# vim /etc/exports
[root@server4 ~]# exportfs -rv ##对配置的文件进行刷新,一定不能重启nfs服务,那样会导致服务卡住,这是已知的bug
- 1
- 2
- 3
[root@server4 ~]# vim /etc/exports
/public 172.25.4.10/24(sync) ##public共享给172.25.4.10/24网段
[root@server4 ~]# exportfs -rv
exporting 172.25.4.10/24:/public
[root@server4 ~]# vim /etc/exports
/public *.example.com(sync)
[root@server4 ~]# exportfs -rv
exporting *.example.com:/public
[root@server4 ~]# vim /etc/exports
/public 172.25.4.11(rw,sync)
[root@server4 ~]# exportfs -rv
exporting 172.25.4.11:/public
[root@server4 ~]# vim /etc/exports
/public 172.25.4.10(sync)172.25.254.4(rw,sync,no_root_squash)
[root@server4 ~]# exportfs -rv
exporting 172.25.4.10:/public
exporting 172.25.254.4:/public
[root@server4 ~]# vim /etc/exports
/public *(rync,anonuid=1001,anongid=1000)
[root@server4 ~]# exportfs -rv
exportfs: /etc/exports:1: unknown keyword "rync"
测试:
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public *
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
[root@desktop4 ~]# cd /mnt
[root@desktop4 mnt]# ls
westostest1 westostest2 westostest3
[root@desktop4 mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[root@desktop4 mnt]# cd
[root@desktop4 ~]# umount /mnt/
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
[root@desktop4 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 104739003805844 6668056 37% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13152 483556 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/sr0 36547203654720 0 100%/run/media/root/RHEL-7.0 Server.x86_64
172.25.4.11:/public 104739843129472 7344512 30% /mnt
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public 172.25.4.10/24
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public *.example.com
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
[root@desktop4 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 104739003805900 6668000 37% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13152 483556 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/sr0 36547203654720 0 100%/run/media/root/RHEL-7.0 Server.x86_64
172.25.4.11:/public 104739843129472 7344512 30% /mnt
[root@desktop4 ~]# cd /mnt
[root@desktop4 mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[root@desktop4 ~]# umount /mnt
[root@desktop4 ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public 172.25.4.11
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt
mount.nfs: access denied by server while mounting 172.25.4.11:/public
[root@desktop4 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10473900 3805848 6668052 37% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 13152 483556 3% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/sr0 3654720 3654720 0 100% /run/media/root/RHEL-7.0Server.x86_64
[root@desktop4 ~]# cd /mnt
[root@desktop4 mnt]# touch file
[root@desktop4 mnt]# ls
file
永久挂载:
[root@nfs-client ~]# vim /etc/fstab
172.25.254.10:/public /mnt nfs defaults 00
################3.利用kerberos保护nfs输出################
[root@server4 ~]# yum install sssd krb5-workstation authconfig-gtk -y
[root@server4 ~]# logout.
[kiosk@foundation4 Desktop]$ ssh root@172.25.254.204 -X ##开启图形界面
[root@server4 ~]# authconfig-gtk ##在server上开启kerberos认证,得到ldap用户
[root@server4 ~]# su - student
[student@server4 ~]$ su - ldapuser1
Password: ##密码为kerberos
Last login: Sat Jun 3 23:09:10 EDT 2017on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1701:krb_ccache_ht7k2SR
Default principal: ldapuser1@EXAMPLE.COM ##证书
Valid starting Expires Service principal
06/03/2017 23:09:43 06/04/201723:09:43 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/03/2017 23:09:43
-bash-4.2$ logout
[student@server4 ~]$ su - root
[root@server4 ~]# ls
anaconda-ks.cfg Documents Music Public Videos
Desktop Downloads Pictures Templates
[root@server4 ~]# wget http://172.25.254.254/pub/keytabs/server4.keytab -O/etc/krb5.keytab
--2017-06-03 23:15:07-- http://172.25.254.254/pub/keytabs/server4.keytab
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1242 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[=============================>] 1,242 --.-K/s in 0s
2017-06-03 23:15:07 (141 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]
[root@server4 ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- -------------------------------------------------------------------------
1 3 host/server4.example.com@EXAMPLE.COM
2 3 host/server4.example.com@EXAMPLE.COM
3 3 host/server4.example.com@EXAMPLE.COM
4 3 host/server4.example.com@EXAMPLE.COM
5 3 host/server4.example.com@EXAMPLE.COM
6 3 host/server4.example.com@EXAMPLE.COM
7 3 host/server4.example.com@EXAMPLE.COM
8 3 host/server4.example.com@EXAMPLE.COM
9 3 nfs/server4.example.com@EXAMPLE.COM
10 3 nfs/server4.example.com@EXAMPLE.COM
11 3 nfs/server4.example.com@EXAMPLE.COM
12 3 nfs/server4.example.com@EXAMPLE.COM
13 3 nfs/server4.example.com@EXAMPLE.COM
14 3 nfs/server4.example.com@EXAMPLE.COM
15 3 nfs/server4.example.com@EXAMPLE.COM
16 3 nfs/server4.example.com@EXAMPLE.COM
ktutil:
[root@server4 ~]# systemctl restart nfs-secure-server
[root@server4 ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service''/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server4 ~]# vim /etc/exports
/public *(rw,sec=krb5p)
[root@server4 ~]# exportfs -rv
exporting *:/public
同理在客户端desktop开启kerberos认证,得到ldap用户
客户端:
[root@desktop4 ~]# systemctl start nfs-secure
[root@desktop4 ~]# systemctl enable nfs-secure
Created symlink from /etc/systemd/system/nfs.target.wants/nfs-secure.service to/usr/lib/systemd/system/nfs-secure.service.
[root@desktop4 ~]# vim /etc/sysconfig/nfs
13 RPCNFSDARGS="-V 4.2"
[root@desktop4 ~]# systemctl restart nfs
在服务端[root@server4 ~]# systemctl restartnfs-secure-server.service
[root@desktop4 ~]# mount 172.25.4.11:/public /mnt -o sec=krb5p
[root@desktop4 ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 104739003870748 6603152 37% /
devtmpfs 481120 0 481120 0% /dev
tmpfs 496708 140 496568 1% /dev/shm
tmpfs 496708 19332 477376 4% /run
tmpfs 496708 0 496708 0% /sys/fs/cgroup
/dev/sr0 3654720 3654720 0 100% /run/media/root/RHEL-7.0Server.x86_64
172.25.4.11:/public 104739843188864 7285120 31% /mnt
[root@desktop4 ~]# su - student
Last login: Sat Jun 3 23:22:22 EDT 2017on pts/1
[student@desktop4 ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
[student@desktop4 ~]$ cd /mnt
-bash: cd: /mnt: Permission denied
[student@desktop4 ~]$ ls
[root@desktop4 ~]# su - ldapuser1
Last login: Sat Jun 3 23:22:40 EDT 2017on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ cd /mnt
-bash-4.2$ ls
westostest1 westostest2 westostest3
- nfs 以及利用kerberos保护nfs输出
- NFS网络文件系统基本配置、利用kerberos保护nfs输出
- 服务器使用Kerberos安全验证保护网络文件系统(NFS)
- (RHCE)5 NFS服务器(包含kerberos加密)
- NFS
- NFS
- nfs
- NFS
- NFS
- nfs
- NFS
- NFS
- NFS
- nfs
- NFS
- NFS
- nfs
- nfs
- mongodb使用
- AnroidStudio 配置kotlin 基础操作
- 本地创建git仓库并提交到码云
- android案例之有序广播
- Linux grep命令学习记录
- nfs 以及利用kerberos保护nfs输出
- 设计模式六大原则
- GIT学习笔记--提交代码到远程仓库
- request和response的页面跳转
- POJ3617-Best Cow Line
- 二维码url的长度
- 文章标题
- 告诉你什么是javascript的回调函数
- 构建 tomcat-redis-session-manager-master