搭建NFS服务器

注意:使用域名访问,要搭建DNS服务器或修改hosts文件

实验环境

主机名 完全合格域名 角色 IP地址 系统
dns dns.skills.com DNS-server、KDC-server 10.10.70.101/24 Rocky8.5
idm idm.skills.com NFS-server、KDC-client 10.10.70.102/24 Rocky8.5
app app.skills.com NFS-client、KDC-client 10.10.70.103/24 Rocky8.5

配置NFS服务端

[root@idm ~]# yum install -y nfs-utils  rpcbind  
[root@idm ~]# mkdir /srv/{tmp,share} -p
[root@idm ~]# vim /etc/exports     #配置NFS配置文件
/srv/share      10.10.20.0/24(rw,anonuid=222,anongid=222,sec=krb5p)
/srv/tmp       *(rw,no_root_squash,sec=krb5p)
[root@idm ~]# systemctl restart nfs-server.service     #重启NFS服务
[root@idm ~]# firewall-cmd --add-service=nfs --permanent 
[root@idm ~]# firewall-cmd --add-service=rpc-bind  --permanent 
[root@idm ~]# firewall-cmd --add-service=mountd   --permanent 
[root@idm ~]# firewall-cmd --reload 

配置NFS客户端

[root@app ~]# mkdir /opt/{share,tmp} -p     #创建挂载文件夹
[root@app ~]# yum install -y nfs-utils      #安装NFS服务 
[root@app ~]# mount idm.skills.com:/srv/share /opt/share   #挂载文件夹
[root@app ~]# mount idm.skills.com:/srv/tmp /opt/tmp         #挂载文件夹
[root@app ~]# df -h         #查看挂载
Filesystem                    Size  Used Avail Use% Mounted on
devtmpfs                      890M     0  890M   0% /dev
tmpfs                         909M     0  909M   0% /dev/shm
tmpfs                         909M  8.5M  901M   1% /run
tmpfs                         909M     0  909M   0% /sys/fs/cgroup
/dev/mapper/rl-root            26G   13G   14G  47% /
/dev/loop0                     10G   10G     0 100% /mnt
/dev/vda1                    1014M  214M  801M  22% /boot
idm.skills.com:/srv/tmp     26G   13G   14G  47% /opt/tmp
idm.skills.com:/srv/share   26G   13G   14G  47% /opt/share
tmpfs    

搭建KDC验证服务器

配置KDC服务端

用于idm服务端与app客服端NFS验证

[root@dns ~]# yum install krb5-server krb5-libs.i686  -y   #安装KDC服务
#修改KDC配置文件
[root@dns ~]# vim /etc/krb5.conf   
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = SKILLS.COM       #默认域名
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]           
 SKILLS.COM = {       
     kdc = dns.skills.com               #KDC服务端域名
     admin_server = dns.skills.com      #KDC服务端器名称
 }

[domain_realm]
 .skills.com = SKILLS.COM                   #KDC域名
 skills.com = SKILLS.COM
[root@dns ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]       #KDC默认设置
    kdc_ports = 88
    kdc_tcp_ports = 88
    spake_preauth_kdc_challenge = edwards25519

[realms] 
SKILLS.COM = {    #指向KDC域名
     #master_key_type = aes256-cts
     acl_file = /var/kerberos/krb5kdc/kadm5.acl
     dict_file = /usr/share/dict/words
     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal}
[root@dns ~]# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@SKILLS.COM      *
#kdc 数据库初始化
[root@dns ~]# kdb5_util create -s    
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SKILLS.COM',
master key name 'K/M@SKILLS.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
#进入kdc服务端配置
[root@dns ~]# kadmin.local 
Authenticating as principal root/admin@SKILLS.COM with password.
kadmin.local:  addprinc -randkey nfs/idm.skills.com      #添加NFS验证密钥
kadmin.local:  addprinc -randkey nfs/app.skills.com     #添加NFS验证秒密钥
kadmin.local:  listprincs #查看NFS KDC密钥
K/M@SKILLS.COM
kadmin/admin@SKILLS.COM
kadmin/changepw@SKILLS.COM
kadmin/dns.skills.com@SKILLS.COM
kiprop/dns.skills.com@SKILLS.COM
krbtgt/SKILLS.COM@SKILLS.COM
nfs/idm.skills.com@SKILLS.COM    #查看
nfs/app.skills.com@SKILLS.COM   #查看
kadmin.local:  ktadd -k /tmp/idm nfs/idm.skills.com   #导出idm的KDC密钥
Entry for principal nfs/idm.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/idm.
Entry for principal nfs/idm.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/idm.
kadmin.local:  ktadd -k /tmp/app nfs/app.skills.com   #导出app的KDC密钥
Entry for principal nfs/app.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/app.
Entry for principal nfs/app.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/app.
kadmin.local:   exit
[root@dns ~]# cd /tmp/
[root@dns tmp]# ll     #查看导出的密钥文件
total 8
-rw-------. 1 root root 168 Apr  1 19:12 idm
-rw-------. 1 root root 168 Apr  1 19:12 app
[root@dns ~]# systemctl start krb5kdc.service kadmin.service
[root@dns ~]# systemctl enable krb5kdc.service kadmin.service
[root@dns ~]# firewall-cmd --permanent --add-service=kerberos
[root@dns ~]# firewall-cmd --reload
[root@dns etc]# scp /etc/krb5.conf idm:/etc/krb5.conf   #导出KDC配置文件到idm
krb5.conf            100%  793   290.1KB/s   00:00    
[root@dns etc]# scp /etc/krb5.conf app:/etc/krb5.conf       #导出KDC配置文件到app
krb5.conf            100%  793   254.6KB/s   00:00 
#导出idm的C密钥文件到idm
[root@dns etc]#scp /tmp/idm idm.skills.com:/etc/krb5.keytab
#导出app密钥文件到app
[root@dns etc]#scp /tmp/app app.skills.com:/etc/krb5.keytab

配置KDC客户端

配置idm客户端

#安装客户端KDC服务
[root@idm ~]# yum install krb5-workstation krb5-libs -y
#初始化KDC凭据
[root@idm ~]# kinit -kt /etc/krb5.keytab nfs/idm.skills.com
[root@idm ~]# klist -k /etc/krb5.keytab      #查看KDC密钥
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/idm.skills.com@SKILLS.COM
   2 nfs/idm.skills.com@SKILLS.COM
[root@idm ~]# klist                         #查询登陆状态
Ticket cache: KCM:0
Default principal: nfs/idm.skills.com@SKILLS.COM

Valid starting       Expires              Service principal
04/01/2022 19:18:51  04/02/2022 19:18:51  krbtgt/SKILLS.COM@SKILLS.COM
        renew until 04/01/2022 19:18:51

配置app客户端

#安装客户端KDC服务
[root@app ~]# yum install krb5-workstation krb5-libs -y
#初始化KDC凭据
[root@app ~]# kinit -kt /etc/krb5.keytab nfs/app.skills.com
[root@app ~]# klist -k /etc/krb5.keytab      #查看KDC密钥
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 nfs/app.skills.com@SKILLS.COM
   2 nfs/app.skills.com@SKILLS.COM
[root@app ~]# klist                         #查询登陆状态
Ticket cache: KCM:0
Default principal: nfs/app.skills.com@SKILLS.COM

Valid starting       Expires              Service principal
04/01/2022 19:18:51  04/02/2022 19:18:51  krbtgt/SKILLS.COM@SKILLS.COM
        renew until 04/01/2022 19:18:51

#查看使用krb5p加密的挂载

[root@app ~]# mount |grep kr   #查看Krb5p挂载
idm.skills.com:/srv/tmp on /opt/tmp type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.10.20.104,local_lock=none,addr=10.10.20.103)
idm.skills.com:/srv/share on /opt/share type nfs4 (rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5p,clientaddr=10.10.20.104,local_lock=none,addr=10.10.20.103)