如何配置“Linux”NFSv4withKerberos自动验证--陈奇网络工作室

建设工作站服务器

环境

Red Hat Enterprise Linux 6 and below

NFS协议版本3和4

问题

howtoconfigurenfsv4withkerberosauthenticationinredhatenterpriselinux 5？

gidsofusersinmorethan 16 groupsarenotrecognizedproperlyonnfsinrhel

决议

toallownfsmanipulateproperlythefilepermissionsofusersthatparticipateinmorethan 16 groups， RPC sec _ gssandkerberosneedtobeusedinsteadthedefaultauthenticationmethod ( auth _ sys ).To configure Kerberos and NFSv4，theft

Environment used in this procedure :

redhatenterpriselinux 5.5 x 86 _ 64 serverasnfsv4serverandkdchostnameserver.example.com

redhatenterpriselinux 4x 86 _ 64as NFS clienthostname client.example.com

导入点：

timesynchronization:allmachinesthatwillparticipateinkerberosauthenticationmusthaveareliable， synchronizedtimesource.mostlargeorganizationoffertheirowntimesources.youcanusetherhelconfigurationtoolsystem-config-tige

hostname s:allhostsmusthavetheirhostnamesettothefullyqualifiedhostnameasreportedbydns.bothforwardandreversemapppingmustworkpporkptwons

The host may be referenced by a CNAME，buttheofficialhostname ( asreportedbyhostname ) must bean‘a’record.this is is important； if you don’thavethissetupproperlythensomethingswillwork，whileotherthingswillfailmysteriously.ifthehostnamedoesnotmatchththereriously

youneedtochooseakerberosrealm.akerberosrealmiscompletelydifferentfromadnsdomain，butinmostcasesyouwillwantousethesamename kerberosrealmsarealluppercase.thekerberosrealmusedinthisarticlewiticle

包种子：

On client machine，makeitsurethatfollowingpackagesareinstalled :

krb5-libs

krb5 -工作站

pam_krb5

cyrus-sasl-gssapi

On server machine，makeitsurethatfollowingpackageisinstalled :

KB5-服务器

配置kerberosserviceontheserver :

1.1 thereareanumberoffilesthathavetobemanuallyeditedontheserver :

Edit /etc/krb5.conf

thestockversionofthisfilewillhaveexample.comorexample.comeverywhereyouwanttoputyourownrealmordomainname.thetwosectionsin ealm.theothersectionsdonotneedtobechanged.inlibdefaults，enteryourownkerberosrealmname.youmaywanttosettheclockskewtoalolockskewtoalolorewtttttttttttttttttororored

原始

[ root @ server~] # cat/etc/krb5.conf

[记录]

efault=file:/var/log/krb5 libs.log

kdc=FILE:/var/log/krb5kdc.log

admin _ server=file:/var/log/kadmind.log

[libdefaults]

default_realm= EXAMPLE.COM

dns_lookup_realm=false

dns_lookup_kdc=false

ticket_lifetime=24h

forward able=是

[realms]

EXAMPLE.COM={

kdc= server.example.com:88

admin _ server=server.example.com:749

default_domain= example.com

}

[domain_realm]

. example.com= EXAMPLE.COM

example.com= EXAMPLE.COM

[appdefaults]

pam={

debug=false

ticket_lifetime=36000

renew_lifetime=36000

前向able=true

krb4_convert=false

}

1.2 edit/var/Kerberos/krb5 KDC/KDC.conf

在内文件， onlytherealmssectionneedstobemodified.itisimportanttochangethekeytypesaswell.icanconfirmthatthesettingbeloworkperfectlyin decideonappropriatevaluesforthemaximumlifeofeachticket、 andforhowlongeachticketcanberenewed.reasonablevaluesare1day and1 weekbutyourneedswillvary.thevaluesherearetheabsolutemaximum

原始

[ root @ server~] # cat/var/Kerberos/krb5 KDC/KDC.conf

[kdcdefaults]

v4_mode=nopreauth

kdc_tcp_ports=88

[realms]

EXAMPLE.COM={

# master _ key _ type=des3- hmac-sha1

ACL _ file=/var/Kerberos/krb5KDC/ka dm5.ACL

dict _ file=/usr/share/dict/words

admin _ keytab=/var/Kerberos/krb5 KDC/ka dm5.keytab

supported _ enctypes=AES 256-cts:normal AES 128-cts:normal des3- hmac-sha1:normal arcfour-hmac:normal des-hmac

}

1.3 edit/var/Kerberos/krb5 KDC/ka dm5.ACL :

thisfiledetermineswhocanmodifythekerberosdatabase.youneedtochangetherealm.filewilllooklike :

原始

[ root @ server~] # cat/var/Kerberos/krb5 KDC/ka dm5.ACL

*/admin@EXAMPLE.COM *

1.4 make sure/etc/gssapi _ mech.conflookslike :

原始

[ root @ server~] # cat/etc/gssapi _ mech.conf

#库初始化功能

# The MIT K5 gssapi library，usespecialfunctionforinitialization。

lib gssapi _ krb5.so.2 mech glue _ internal _ krb5 _ init

1.5创建the Kerberos数据库：

Execute the following command :

原始

[ root @ server~] # kdb5_ util-r example.com create-s

thiswillpromptyouforapassword.youwillonlyhavetoenterthispasswordwhenyouinitiallyconfigureaslavekdc， sochoosesomethinglargeandrandomandstoreitinasecureplace.really，youmayonlyhavetoenterthisoncemore，so make it secure。

1.6 addthefirstadministrativeuser :

I do administration as root，sothefirstuseriaddisroot/admin.thedefaultrealmisappendedautomatically，so the command to use is as foll

原始

[ root @ server~] # kadmin.local-qaddprincroot/admin

enterapasswordwhenprompted.youwillneedthispasswordeverytimeyouadministerthedatabase。

1.7 atthispointitisnecessarytoenableandstartthekerberosservices :

原始

[ root @ server~] # chkconfigkadminon

[ root @ server~] # servicekadminstart

[ root @ server~] # chkconfigkrb 5k dcon

[ root @ server~] # service krb5 KDC start

To test if everything is working，executekadminorkadmin.local.by default，thecurrentuserappendedwith‘/admin’isusedasthepresthephepreth

原始

[root@server ~]# kadmin

authenticatingasprincipalroot/admin @ example.comwith password。

passwordforroot/admin @ example.com://pleaseenteradminpassword

kadmin: listprincs

K/M@EXAMPLE.COM

host/server.example.com @ example.com

host/client.example.com @ example.com

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/history@EXAMPLE.COM

kadmin/server.example.com @ example.com

kmaiti@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

nc@EXAMPLE.COM

NFS/server.example.com @ example.com

NFS/client.example.com @ example.com

root/admin@EXAMPLE.COM

kadmin :

theadditionalprincipleshavebeencreatedbythetool.theyarerequiredsoleavethembe。

1.8 createahostprincipalforthekdc :

nowyouwillwanttocreateanfsserviceprincipalfornfsserver.youalsoneedtoaddthisprincipaltothelocalkeytable。

原始

[root@server ~]# kadmin

authenticatingasprincipalroot/admin @ example.comwith password。

passwordforroot/admin @ example.com :

kadmin:add princ-randkey NFS/server.example.com//executethiscommand.don\& amp； #039； tforgettoreplacethehostname。

kadmin:ktaddnfs/server.example.com//addingkeytokeytabfile。

1.9 creatingkerberosprincipalsforclient :

runkadminontheserverandcreatethefollowingprincipals.replace client.example.comwiththefullyqualifiednameoftheclientmachine

原始

[root@server ~]# kadmin

authenticatingasprincipalroot/admin @ example.comwith password。

passwordforroot/admin @ example.com :

kadmin:add princ-randkey NFS/client.example.com

1.10 generatekeyinthekeytabfilefortheadminandthiswillbesavedin/var/Kerberos/krb5 KDC/ka dm5.keytabsincethishasbeeeenmenmentintion

原始

[root@server ~]# kadmin

authenticatingasprincipalroot/admin @ example.comwith password。

passwordforroot/admin @ example.com :

kadmin:kt add-k/var/Kerberos/krb5 KDC/ka dm5.keytab kadmin/admin//executethesecommands

kadmin:kt add-k/var/Kerberos/krb5 KDC/ka dm5.keytab kadmin/change pw

1.11 makeitsurethatports 88 and 749 hasopenedatthefirewall.restartthefirewall，kadmin and krb5kdc services。

客户端设置：

2.1 copy the file/etc/krb5.conffromserver ( Kerberos server ) to client machine。

2.2 makeitsurethatports 88 and 749 hasopenedatthefirewall.restartthefirewall。

2.3 Create Kerberos Principals :

executekadmincommandontheclientconsole.addtheprincipaltothekeytabfileasfollowsfornfs :

原始

[root@client ~]# kadmin

authenticatingasprincipalroot/admin @ example.comwith password。

passwordforroot/admin @ example.com :

kadmin:kt add-edes-CBC-CRC:normal NFS/client.example.com

配置kerberosfornfsv4( assumingthatnfsv4hasbeeninstalledontheserver (，ontheKerberos ) I.eNFSV4) server :

3.1 createthenecessaryentriesin/etc/exports.first，createannfsv4mount point.iwouldsuggest/export.nextbindtherealpats wewanttoexportthe/data directory.we create/export/datafornfsv4and mount/datathere。

原始

[ root @ server/] # mkdir-m 1777/export

[ root @ server/] # mkdir/export/data

[ root @ server/] # mount-n-- bind/data/export/data

3.2 addthefollowinglinesinthe/etc/exports file :

原始

/exportGSS/krb5(sync，rw，fsid=0，insecure，no_subtree_check，anonuid=65534，anongid=65534 ) ) ) ) )。

/export/dataGSS/krb5(sync，rw，nohide，insecure，no_subtree_check，anonuid=65534，anongid=65534 ) )

3.3 modify/etc/idmapd.conf and it\& amp； quot； lllooklike :

原始

[ root @ server/] # cat/etc/idmapd.conf

[通用]

Verbosity=0

pipefs-directory=/var/lib/NFS/RPC _ pipefs

Domain= example.com

[映射]

Nobody-User=nfsnobody

Nobody-Group=nfsnobody

[Translation]

Method=nsswitch

3.4 makethevalueofsecure _ nfstoyesin/etc/sys config/NFS.toenablesecurenfs，youmustadthefollowinglineto/etc/syscoscon

原始

secure _ NFS=是

After the restart the NFS servers，theenvironmentisabletoworkproperlyusingkerberosauthenticationandrpcsec _ GSS。

史汀：

onclientmachineissuethefollowingcommandtomounttheexportingdirectoryoftheserver :

原始

# mount-TNF S4-osec=krb5 server.example.com://mnt/my _ NFS _ mount _ point

nowcreatethefilesinsidethe/datadirectoryontheserverandviewthefilesinside/mntdirectoryontheclientmachine。

note:nfsdaemonslookslikeontheserver :

原始

[ root @ server/] # servicenfsstatus

RPC.svcgssd(PID8974 ) is running .

RPC.mountd(PID8994 ) is running .

nfsd ( PID 8991899089898988988987898689858984 ) is running .

RPC.rquotad(PID8979 ) is running .

根源

bydefaultnfsclientsandserversusetheauth _ sysprotocoltoauthenticateusers。

auth _ sysisdefinedinrpcv2( http://www.IETF.org/RFC/RFC 1831.txt ) toallocatea4bitvaluetogroupmemberships，hencethe11

But since v4，nfscanuseadifferentauthenticationprotocolsuchasrpcsec _ gsswhichsupportsmoregroups。

诊断步骤

thefollowingconsiderationscanhelptodebugproblemswitheabovesetup。

arehostsproperlyresolvedviadnsor/etc/hosts？

aretheexpectedprincipalsinthekeytab？ This can be verified withklist -ke。

aretherequiredservicesrunningonclientandserver？

Have the services been restarted？

Are the required modules loaded？ insomecasesrpcsec _ GSS _ krb5 wasnotloadedautomaticallyonrhel 5。

is showmount-eserverfromtheclientshowingtheexports？

itmightbeusefultoconfigurerpc.gssdformoreverbosity，setrpcgssdargs=-vvv in/etc/sys config/nfsandrestarttheservice。

fornfsdebuggingexecuteecho 32767/proc/sys/sun RPC/NFS _ debug。

详情请访问云服务器、域名注册、虚拟主机的问题，请访问西部数码代理商官方网站： www.chenqinet.cn

相关推荐