搭建NFS服务器
注意:使用域名访问,要搭建DNS服务器或修改hosts文件
实验环境
| 主机名 | 完全合格域名 | 角色 | IP地址 | 系统 |
|---|---|---|---|---|
| dns | dns.skills.com | DNS-server、KDC-server | 10.10.70.101/24 | Rocky8.5 |
| idm | idm.skills.com | NFS-server、KDC-client | 10.10.70.102/24 | Rocky8.5 |
| app | app.skills.com | NFS-client、KDC-client | 10.10.70.103/24 | Rocky8.5 |
配置NFS服务端
[root@idm ~]# yum install -y nfs-utils rpcbind
[root@idm ~]# mkdir /srv/{tmp,share} -p
[root@idm ~]# vim /etc/exports #配置NFS配置文件
/srv/share 10.10.20.0/24(rw,anonuid=222,anongid=222,sec=krb5p)
/srv/tmp *(rw,no_root_squash,sec=krb5p)
[root@idm ~]# systemctl restart nfs-server.service #重启NFS服务
[root@idm ~]# firewall-cmd --add-service=nfs --permanent
[root@idm ~]# firewall-cmd --add-service=rpc-bind --permanent
[root@idm ~]# firewall-cmd --add-service=mountd --permanent
[root@idm ~]# firewall-cmd --reload 配置NFS客户端
[root@app ~]# mkdir /opt/{share,tmp} -p #创建挂载文件夹
[root@app ~]# yum install -y nfs-utils #安装NFS服务
[root@app ~]# mount idm.skills.com:/srv/share /opt/share #挂载文件夹
[root@app ~]# mount idm.skills.com:/srv/tmp /opt/tmp #挂载文件夹
[root@app ~]# df -h #查看挂载
Filesystem Size Used Avail Use% Mounted on
devtmpfs 890M 0 890M 0% /dev
tmpfs 909M 0 909M 0% /dev/shm
tmpfs 909M 8.5M 901M 1% /run
tmpfs 909M 0 909M 0% /sys/fs/cgroup
/dev/mapper/rl-root 26G 13G 14G 47% /
/dev/loop0 10G 10G 0 100% /mnt
/dev/vda1 1014M 214M 801M 22% /boot
idm.skills.com:/srv/tmp 26G 13G 14G 47% /opt/tmp
idm.skills.com:/srv/share 26G 13G 14G 47% /opt/share
tmpfs 搭建KDC验证服务器
配置KDC服务端
用于idm服务端与app客服端NFS验证
[root@dns ~]# yum install krb5-server krb5-libs.i686 -y #安装KDC服务
#修改KDC配置文件
[root@dns ~]# vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = SKILLS.COM #默认域名
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SKILLS.COM = {
kdc = dns.skills.com #KDC服务端域名
admin_server = dns.skills.com #KDC服务端器名称
}
[domain_realm]
.skills.com = SKILLS.COM #KDC域名
skills.com = SKILLS.COM
[root@dns ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults] #KDC默认设置
kdc_ports = 88
kdc_tcp_ports = 88
spake_preauth_kdc_challenge = edwards25519
[realms]
SKILLS.COM = { #指向KDC域名
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal}
[root@dns ~]# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@SKILLS.COM *
#kdc 数据库初始化
[root@dns ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SKILLS.COM',
master key name 'K/M@SKILLS.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
#进入kdc服务端配置
[root@dns ~]# kadmin.local
Authenticating as principal root/admin@SKILLS.COM with password.
kadmin.local: addprinc -randkey nfs/idm.skills.com #添加NFS验证密钥
kadmin.local: addprinc -randkey nfs/app.skills.com #添加NFS验证秒密钥
kadmin.local: listprincs #查看NFS KDC密钥
K/M@SKILLS.COM
kadmin/admin@SKILLS.COM
kadmin/changepw@SKILLS.COM
kadmin/dns.skills.com@SKILLS.COM
kiprop/dns.skills.com@SKILLS.COM
krbtgt/SKILLS.COM@SKILLS.COM
nfs/idm.skills.com@SKILLS.COM #查看
nfs/app.skills.com@SKILLS.COM #查看
kadmin.local: ktadd -k /tmp/idm nfs/idm.skills.com #导出idm的KDC密钥
Entry for principal nfs/idm.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/idm.
Entry for principal nfs/idm.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/idm.
kadmin.local: ktadd -k /tmp/app nfs/app.skills.com #导出app的KDC密钥
Entry for principal nfs/app.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/app.
Entry for principal nfs/app.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/app.
kadmin.local: exit
[root@dns ~]# cd /tmp/
[root@dns tmp]# ll #查看导出的密钥文件
total 8
-rw-------. 1 root root 168 Apr 1 19:12 idm
-rw-------. 1 root root 168 Apr 1 19:12 app
[root@dns ~]# systemctl start krb5kdc.service kadmin.service
[root@dns ~]# systemctl enable krb5kdc.service kadmin.service
[root@dns ~]# firewall-cmd --permanent --add-service=kerberos
[root@dns ~]# firewall-cmd --reload
[root@dns etc]# scp /etc/krb5.conf idm:/etc/krb5.conf #导出KDC配置文件到idm
krb5.conf 100% 793 290.1KB/s 00:00
[root@dns etc]# scp /etc/krb5.conf app:/etc/krb5.conf #导出KDC配置文件到app
krb5.conf 100% 793 254.6KB/s 00:00
#导出idm的C密钥文件到idm
[root@dns etc]#scp /tmp/idm idm.skills.com:/etc/krb5.keytab
#导出app密钥文件到app
[root@dns etc]#scp /tmp/app app.skills.com:/etc/krb5.keytab配置KDC客户端
配置idm客户端
#安装客户端KDC服务
[root@idm ~]# yum install krb5-workstation krb5-libs -y
#初始化KDC凭据
[root@idm ~]# kinit -kt /etc/krb5.keytab nfs/idm.skills.com
[root@idm ~]# klist -k /etc/krb5.keytab #查看KDC密钥
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nfs/idm.skills.com@SKILLS.COM
2 nfs/idm.skills.com@SKILLS.COM
[root@idm ~]# klist #查询登陆状态
Ticket cache: KCM:0
Default principal: nfs/idm.skills.com@SKILLS.COM
Valid starting Expires Service principal
04/01/2022 19:18:51 04/02/2022 19:18:51 krbtgt/SKILLS.COM@SKILLS.COM
renew until 04/01/2022 19:18:51配置app客户端
#安装客户端KDC服务
[root@app ~]# yum install krb5-workstation krb5-libs -y
#初始化KDC凭据
[root@app ~]# kinit -kt /etc/krb5.keytab nfs/app.skills.com
[root@app ~]# klist -k /etc/krb5.keytab #查看KDC密钥
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 nfs/app.skills.com@SKILLS.COM
2 nfs/app.skills.com@SKILLS.COM
[root@app ~]# klist #查询登陆状态
Ticket cache: KCM:0
Default principal: nfs/app.skills.com@SKILLS.COM
Valid starting Expires Service principal
04/01/2022 19:18:51 04/02/2022 19:18:51 krbtgt/SKILLS.COM@SKILLS.COM
renew until 04/01/2022 19:18:51#查看使用krb5p加密的挂载
[root@app ~]# mount |grep kr #查看Krb5p挂载
idm.skills.com:/srv/tmp on /opt/tmp type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.10.20.104,local_lock=none,addr=10.10.20.103)
idm.skills.com:/srv/share on /opt/share type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.10.20.104,local_lock=none,addr=10.10.20.103)
