nfs krb5 nfs krb5p

转载

mob6454cc70863a 2024-06-10 20:41:42

文章标签 nfs krb5 linux 服务器 centos python 文章分类 运维

昨天有个粉丝在一个群里问一个这样的问题，如图：

nfs krb5 nfs krb5p_linux

然后我也有一个类似的问题，如图：

nfs krb5 nfs krb5p_nfs krb5_02

经过比对可以看到我的这个更详细一点，也更简单一点，于是我就在我的题目上加一点改动，就是加上粉丝那道题的加密。

那位粉丝最后我了解了一下还是不懂题意，理解也有错误盲区，我就先给大家讲解一下题目的意思，按照粉丝的题目讲，配置linux3为nfs服务，然后创建一个名为/srv/share和/srv/tmp的共享目录，其中/srv/share目录要让指定的网段用户能够读写，并且还有将所有用户映射为tom用户，还有kdc加密（krb5p）；然后就是/srv/tmp就是所有的用户都可以读写，还包括root用户，再就是每个用户不会改变身份，还要kdc加密（krb5p）。我说的这些都是要在/etc/exports文件里写。但不过也怪我，没和那个粉丝说清楚。

第八题就很简单，字面意思凡是会点linux的都会弄，我也就不讲了，现在就在我的题目上添加一个要/srv/share文件kdc加密（krb5p），题目也是很详解，就不多说了，开始解题：

服务端（nfs和kdc）：

首先我们先要安装krb5加密服务

[root@localhost yum.repos.d]# yum install -y *krb5*
Last metadata expiration check: 0:21:16 ago on Mon 10 Oct 2022 05:36:03 AM EDT.
Package krb5-devel-1.18.2-14.el8.x86_64 is already installed.
Package krb5-libs-1.18.2-14.el8.x86_64 is already installed.
Package sssd-krb5-2.6.2-3.el8.x86_64 is already installed.
Package sssd-krb5-common-2.6.2-3.el8.x86_64 is already installed.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                                  Architecture                         Version                                                               Repository                               Size
===================================================================================================================================================================================================================
Installing:
 freeradius-krb5                                          x86_64                               3.0.20-12.module+el8.6.0+798+87c3dbe0                                 AppStream                                87 k
 krb5-pkinit                                              x86_64                               1.18.2-14.el8                                                         BaseOS                                  174 k
 krb5-server                                              x86_64                               1.18.2-14.el8                                                         BaseOS                                  1.1 M
 krb5-server-ldap                                         x86_64                               1.18.2-14.el8                                                         BaseOS                                  204 k
 krb5-workstation                                         x86_64                               1.18.2-14.el8                                                         BaseOS                                  956 k
 samba-krb5-printing                                      x86_64                               4.15.5-5.el8                                                          BaseOS                                  100 k
 samba-winbind-krb5-locator                               x86_64                               4.15.5-5.el8                                                          BaseOS                                  103 k
Installing dependencies:
 freeradius                                               x86_64                               3.0.20-12.module+el8.6.0+798+87c3dbe0                                 AppStream                               1.1 M
 make                                                     x86_64                               1:4.2.1-11.el8                                                        BaseOS                                  497 k
 python3-dns                                              noarch                               1.15.0-10.el8                                                         BaseOS                                  252 k
 python3-ldb                                              x86_64                               2.4.1-1.el8                                                           BaseOS                                   64 k
 python3-samba                                            x86_64                               4.15.5-5.el8                                                          BaseOS                                  3.3 M
 python3-talloc                                           x86_64                               2.3.3-1.el8                                                           BaseOS                                   28 k
 python3-tdb                                              x86_64                               1.4.4-1.el8                                                           BaseOS                                   28 k
 python3-tevent                                           x86_64                               0.11.0-0.el8                                                          BaseOS                                   25 k
 samba                                                    x86_64                               4.15.5-5.el8                                                          BaseOS                                  867 k
 samba-client                                             x86_64                               4.15.5-5.el8                                                          BaseOS                                  714 k
 samba-common-tools                                       x86_64                               4.15.5-5.el8                                                          BaseOS                                  521 k
 samba-libs                                               x86_64                               4.15.5-5.el8                                                          BaseOS                                  174 k
 samba-winbind                                            x86_64                               4.15.5-5.el8                                                          BaseOS                                  557 k
 samba-winbind-modules                                    x86_64                               4.15.5-5.el8                                                          BaseOS                                  131 k
 tdb-tools                                                x86_64                               1.4.4-1.el8                                                           BaseOS                                   42 k
Enabling module streams:
 freeradius                                                                                    3.0                                                                                                                

Transaction Summary
===================================================================================================================================================================================================================
Install  22 Packages

Total size: 11 M
Installed size: 37 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Installing       : samba-libs-4.15.5-5.el8.x86_64                                                                                                                                                           1/22 
  Installing       : python3-tdb-1.4.4-1.el8.x86_64                                                                                                                                                           2/22 
  Installing       : python3-ldb-2.4.1-1.el8.x86_64                                                                                                                                                           3/22 
  Installing       : samba-winbind-modules-4.15.5-5.el8.x86_64                                                                                                                                                4/22 
  Installing       : tdb-tools-1.4.4-1.el8.x86_64                                                                                                                                                             5/22 
  Installing       : samba-client-4.15.5-5.el8.x86_64                                                                                                                                                         6/22 
  Running scriptlet: samba-client-4.15.5-5.el8.x86_64                                                                                                                                                         6/22 
  Installing       : python3-tevent-0.11.0-0.el8.x86_64                                                                                                                                                       7/22 
  Installing       : python3-talloc-2.3.3-1.el8.x86_64                                                                                                                                                        8/22 
  Installing       : python3-dns-1.15.0-10.el8.noarch                                                                                                                                                         9/22 
  Installing       : samba-4.15.5-5.el8.x86_64                                                                                                                                                               10/22 
  Running scriptlet: samba-4.15.5-5.el8.x86_64                                                                                                                                                               10/22 
  Installing       : python3-samba-4.15.5-5.el8.x86_64                                                                                                                                                       11/22 
  Installing       : samba-common-tools-4.15.5-5.el8.x86_64                                                                                                                                                  12/22 
  Running scriptlet: samba-winbind-4.15.5-5.el8.x86_64                                                                                                                                                       13/22 
  Installing       : samba-winbind-4.15.5-5.el8.x86_64                                                                                                                                                       13/22 
  Running scriptlet: samba-winbind-4.15.5-5.el8.x86_64                                                                                                                                                       13/22 
  Installing       : make-1:4.2.1-11.el8.x86_64                                                                                                                                                              14/22 
  Running scriptlet: make-1:4.2.1-11.el8.x86_64                                                                                                                                                              14/22 
  Running scriptlet: freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64                                                                                                                                 15/22 
  Installing       : freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64                                                                                                                                 15/22 
  Running scriptlet: freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64                                                                                                                                 15/22 
  Installing       : krb5-server-1.18.2-14.el8.x86_64                                                                                                                                                        16/22 
  Running scriptlet: krb5-server-1.18.2-14.el8.x86_64                                                                                                                                                        16/22 
  Installing       : krb5-server-ldap-1.18.2-14.el8.x86_64                                                                                                                                                   17/22 
  Installing       : freeradius-krb5-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64                                                                                                                            18/22 
  Installing       : samba-winbind-krb5-locator-4.15.5-5.el8.x86_64                                                                                                                                          19/22 
  Running scriptlet: samba-winbind-krb5-locator-4.15.5-5.el8.x86_64                                                                                                                                          19/22 
  Installing       : samba-krb5-printing-4.15.5-5.el8.x86_64                                                                                                                                                 20/22 
  Running scriptlet: samba-krb5-printing-4.15.5-5.el8.x86_64                                                                                                                                                 20/22 
  Installing       : krb5-workstation-1.18.2-14.el8.x86_64                                                                                                                                                   21/22 
  Installing       : krb5-pkinit-1.18.2-14.el8.x86_64                                                                                                                                                        22/22 
  Running scriptlet: krb5-pkinit-1.18.2-14.el8.x86_64                                                                                                                                                        22/22 
  Verifying        : krb5-pkinit-1.18.2-14.el8.x86_64                                                                                                                                                         1/22 
  Verifying        : krb5-server-1.18.2-14.el8.x86_64                                                                                                                                                         2/22 
  Verifying        : krb5-server-ldap-1.18.2-14.el8.x86_64                                                                                                                                                    3/22 
  Verifying        : krb5-workstation-1.18.2-14.el8.x86_64                                                                                                                                                    4/22 
  Verifying        : make-1:4.2.1-11.el8.x86_64                                                                                                                                                               5/22 
  Verifying        : python3-dns-1.15.0-10.el8.noarch                                                                                                                                                         6/22 
  Verifying        : python3-ldb-2.4.1-1.el8.x86_64                                                                                                                                                           7/22 
  Verifying        : python3-samba-4.15.5-5.el8.x86_64                                                                                                                                                        8/22 
  Verifying        : python3-talloc-2.3.3-1.el8.x86_64                                                                                                                                                        9/22 
  Verifying        : python3-tdb-1.4.4-1.el8.x86_64                                                                                                                                                          10/22 
  Verifying        : python3-tevent-0.11.0-0.el8.x86_64                                                                                                                                                      11/22 
  Verifying        : samba-4.15.5-5.el8.x86_64                                                                                                                                                               12/22 
  Verifying        : samba-client-4.15.5-5.el8.x86_64                                                                                                                                                        13/22 
  Verifying        : samba-common-tools-4.15.5-5.el8.x86_64                                                                                                                                                  14/22 
  Verifying        : samba-krb5-printing-4.15.5-5.el8.x86_64                                                                                                                                                 15/22 
  Verifying        : samba-libs-4.15.5-5.el8.x86_64                                                                                                                                                          16/22 
  Verifying        : samba-winbind-4.15.5-5.el8.x86_64                                                                                                                                                       17/22 
  Verifying        : samba-winbind-krb5-locator-4.15.5-5.el8.x86_64                                                                                                                                          18/22 
  Verifying        : samba-winbind-modules-4.15.5-5.el8.x86_64                                                                                                                                               19/22 
  Verifying        : tdb-tools-1.4.4-1.el8.x86_64                                                                                                                                                            20/22 
  Verifying        : freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64                                                                                                                                 21/22 
  Verifying        : freeradius-krb5-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64                                                                                                                            22/22 

Installed:
  freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64    freeradius-krb5-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64    krb5-pkinit-1.18.2-14.el8.x86_64     krb5-server-1.18.2-14.el8.x86_64                 
  krb5-server-ldap-1.18.2-14.el8.x86_64                      krb5-workstation-1.18.2-14.el8.x86_64                           make-1:4.2.1-11.el8.x86_64           python3-dns-1.15.0-10.el8.noarch                 
  python3-ldb-2.4.1-1.el8.x86_64                             python3-samba-4.15.5-5.el8.x86_64                               python3-talloc-2.3.3-1.el8.x86_64    python3-tdb-1.4.4-1.el8.x86_64                   
  python3-tevent-0.11.0-0.el8.x86_64                         samba-4.15.5-5.el8.x86_64                                       samba-client-4.15.5-5.el8.x86_64     samba-common-tools-4.15.5-5.el8.x86_64           
  samba-krb5-printing-4.15.5-5.el8.x86_64                    samba-libs-4.15.5-5.el8.x86_64                                  samba-winbind-4.15.5-5.el8.x86_64    samba-winbind-krb5-locator-4.15.5-5.el8.x86_64   
  samba-winbind-modules-4.15.5-5.el8.x86_64                  tdb-tools-1.4.4-1.el8.x86_64                                   

Complete!

再就是安装nfs服务

[root@localhost yum.repos.d]# yum install -y *nfs*
Last metadata expiration check: 0:24:50 ago on Mon 10 Oct 2022 05:36:03 AM EDT.
Package libnfsidmap-1:2.3.3-51.el8.x86_64 is already installed.
Package nfs-utils-1:2.3.3-51.el8.x86_64 is already installed.
Package sssd-nfs-idmap-2.6.2-3.el8.x86_64 is already installed.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                                   Architecture                               Version                                                  Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 nfs4-acl-tools                                            x86_64                                     0.3.5-3.el8                                              BaseOS                                         53 k
 pcp-pmda-nfsclient                                        x86_64                                     5.3.5-8.el8                                              AppStream                                      54 k
 texlive-mfnfss                                            noarch                                     7:20180414-25.el8                                        AppStream                                     195 k
 texlive-psnfss                                            noarch                                     7:20180414-25.el8                                        AppStream                                     528 k
Installing dependencies:
 perl-Filter                                               x86_64                                     2:1.58-2.el8                                             AppStream                                      81 k
 perl-Text-Unidecode                                       noarch                                     1.30-5.el8                                               AppStream                                     148 k
 perl-XML-Parser                                           x86_64                                     2.44-11.el8                                              AppStream                                     225 k
 perl-XML-XPath                                            noarch                                     1.42-3.el8                                               AppStream                                      87 k
 perl-encoding                                             x86_64                                     4:2.22-3.el8                                             AppStream                                      67 k
 perl-open                                                 noarch                                     1.11-421.el8                                             AppStream                                      77 k
 texlive-base                                              noarch                                     7:20180414-25.el8                                        AppStream                                     2.4 M
 texlive-graphics                                          noarch                                     7:20180414-25.el8                                        AppStream                                     2.0 M
 texlive-graphics-cfg                                      noarch                                     7:20180414-25.el8                                        AppStream                                      26 k
 texlive-hyphen-base                                       noarch                                     7:20180414-25.el8                                        AppStream                                      46 k
 texlive-kpathsea                                          x86_64                                     7:20180414-25.el8                                        AppStream                                     1.1 M
 texlive-lib                                               x86_64                                     7:20180414-25.el8                                        AppStream                                     540 k
 texlive-tetex                                             noarch                                     7:20180414-25.el8                                        AppStream                                     402 k
 texlive-texlive.infra                                     noarch                                     7:20180414-25.el8                                        AppStream                                     279 k

Transaction Summary
===================================================================================================================================================================================================================
Install  18 Packages

Total size: 8.2 M
Installed size: 24 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Running scriptlet: texlive-base-7:20180414-25.el8.noarch                                                                                                                                                    1/18 
  Installing       : texlive-base-7:20180414-25.el8.noarch                                                                                                                                                    1/18 
  Installing       : perl-XML-Parser-2.44-11.el8.x86_64                                                                                                                                                       2/18 
  Installing       : texlive-lib-7:20180414-25.el8.x86_64                                                                                                                                                     3/18 
  Installing       : perl-Text-Unidecode-1.30-5.el8.noarch                                                                                                                                                    4/18 
  Installing       : perl-Filter-2:1.58-2.el8.x86_64                                                                                                                                                          5/18 
  Installing       : perl-encoding-4:2.22-3.el8.x86_64                                                                                                                                                        6/18 
  Installing       : perl-open-1.11-421.el8.noarch                                                                                                                                                            7/18 
  Installing       : perl-XML-XPath-1.42-3.el8.noarch                                                                                                                                                         8/18 
  Installing       : texlive-texlive.infra-7:20180414-25.el8.noarch                                                                                                                                           9/18 
  Installing       : texlive-tetex-7:20180414-25.el8.noarch                                                                                                                                                  10/18 
  Installing       : texlive-kpathsea-7:20180414-25.el8.x86_64                                                                                                                                               11/18 
  Running scriptlet: texlive-kpathsea-7:20180414-25.el8.x86_64                                                                                                                                               11/18 
  Installing       : texlive-graphics-cfg-7:20180414-25.el8.noarch                                                                                                                                           12/18 
  Installing       : texlive-graphics-7:20180414-25.el8.noarch                                                                                                                                               13/18 
  Installing       : texlive-hyphen-base-7:20180414-25.el8.noarch                                                                                                                                            14/18 
  Installing       : texlive-psnfss-7:20180414-25.el8.noarch                                                                                                                                                 15/18 
  Installing       : texlive-mfnfss-7:20180414-25.el8.noarch                                                                                                                                                 16/18 
  Installing       : pcp-pmda-nfsclient-5.3.5-8.el8.x86_64                                                                                                                                                   17/18 
  Installing       : nfs4-acl-tools-0.3.5-3.el8.x86_64                                                                                                                                                       18/18 
  Running scriptlet: texlive-base-7:20180414-25.el8.noarch                                                                                                                                                   18/18 
  Running scriptlet: nfs4-acl-tools-0.3.5-3.el8.x86_64                                                                                                                                                       18/18 
  Running scriptlet: texlive-kpathsea-7:20180414-25.el8.x86_64                                                                                                                                               18/18 
  Verifying        : nfs4-acl-tools-0.3.5-3.el8.x86_64                                                                                                                                                        1/18 
  Verifying        : pcp-pmda-nfsclient-5.3.5-8.el8.x86_64                                                                                                                                                    2/18 
  Verifying        : perl-Filter-2:1.58-2.el8.x86_64                                                                                                                                                          3/18 
  Verifying        : perl-Text-Unidecode-1.30-5.el8.noarch                                                                                                                                                    4/18 
  Verifying        : perl-XML-Parser-2.44-11.el8.x86_64                                                                                                                                                       5/18 
  Verifying        : perl-XML-XPath-1.42-3.el8.noarch                                                                                                                                                         6/18 
  Verifying        : perl-encoding-4:2.22-3.el8.x86_64                                                                                                                                                        7/18 
  Verifying        : perl-open-1.11-421.el8.noarch                                                                                                                                                            8/18 
  Verifying        : texlive-base-7:20180414-25.el8.noarch                                                                                                                                                    9/18 
  Verifying        : texlive-graphics-7:20180414-25.el8.noarch                                                                                                                                               10/18 
  Verifying        : texlive-graphics-cfg-7:20180414-25.el8.noarch                                                                                                                                           11/18 
  Verifying        : texlive-hyphen-base-7:20180414-25.el8.noarch                                                                                                                                            12/18 
  Verifying        : texlive-kpathsea-7:20180414-25.el8.x86_64                                                                                                                                               13/18 
  Verifying        : texlive-lib-7:20180414-25.el8.x86_64                                                                                                                                                    14/18 
  Verifying        : texlive-mfnfss-7:20180414-25.el8.noarch                                                                                                                                                 15/18 
  Verifying        : texlive-psnfss-7:20180414-25.el8.noarch                                                                                                                                                 16/18 
  Verifying        : texlive-tetex-7:20180414-25.el8.noarch                                                                                                                                                  17/18 
  Verifying        : texlive-texlive.infra-7:20180414-25.el8.noarch                                                                                                                                          18/18 

Installed:
  nfs4-acl-tools-0.3.5-3.el8.x86_64                pcp-pmda-nfsclient-5.3.5-8.el8.x86_64                 perl-Filter-2:1.58-2.el8.x86_64                      perl-Text-Unidecode-1.30-5.el8.noarch              
  perl-XML-Parser-2.44-11.el8.x86_64               perl-XML-XPath-1.42-3.el8.noarch                      perl-encoding-4:2.22-3.el8.x86_64                    perl-open-1.11-421.el8.noarch                      
  texlive-base-7:20180414-25.el8.noarch            texlive-graphics-7:20180414-25.el8.noarch             texlive-graphics-cfg-7:20180414-25.el8.noarch        texlive-hyphen-base-7:20180414-25.el8.noarch       
  texlive-kpathsea-7:20180414-25.el8.x86_64        texlive-lib-7:20180414-25.el8.x86_64                  texlive-mfnfss-7:20180414-25.el8.noarch              texlive-psnfss-7:20180414-25.el8.noarch            
  texlive-tetex-7:20180414-25.el8.noarch           texlive-texlive.infra-7:20180414-25.el8.noarch       

Complete!

然后就是加个域名，因为加密时候可能要的

[root@localhost ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
20.20.20.22 apache.skills.com skills.com

将文件里所有的example.com改成自己的，该大写的都要大写

[root@localhost ~]# vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    default_realm = SKILLS.COM
#    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}
llow-weak-crypto = true
denctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default-tkt-enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
udp_preference_limit = 0
default_realm = SKILLS.COM

[realms]
 SKILLS.COM = {
     kdc = apache.skills.com
     admin_server = apache.skills.com
 }
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
.skills.com=SKILLS.COM
skills.com=SKILLS.COM
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@localhost yum.repos.d]# vim /var/kerberos/krb5kdc/kadm5.acl 
*/admin@SKILLS.COM      *
[root@localhost yum.repos.d]# vim /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88
    spake_preauth_kdc_challenge = edwards25519

[realms]
SKILLS.COM=
     #master_key_type = aes256-cts
     acl_file = /var/kerberos/krb5kdc/kadm5.acl
     dict_file = /usr/share/dict/words
     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
}

然后就是初始化数据库，在这里切记域名一定要大写，开启服务

[root@localhost krb5kdc]# kdb5_util create -s -r SKILLS.COM   #域名必须大写，不然会报错的
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SKILLS.COM',
master key name 'K/M@SKILLS.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:   #密码随便输入
Re-enter KDC database master key to verify:  
[root@localhost krb5kdc]# systemctl restart kadmin.service krb5kdc.service   #重启两个服务

创建服务端的key和客服端的key，然后将自己的key下载下来

[root@localhost krb5kdc]# kadmin.local 
Authenticating as principal root/admin@SKILLS.COM with password.
kadmin.local:  addprinc root/admin     #添加Kerberos用户root并免密
No policy specified for root/admin@SKILLS.COM; defaulting to no policy
Enter password for principal "root/admin@SKILLS.COM": 
Re-enter password for principal "root/admin@SKILLS.COM": 
Principal "root/admin@SKILLS.COM" created.
kadmin.local:  addprinc -randkey nfs/apache.skills.com  #随机生成key
No policy specified for nfs/apache.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/apache.skills.com@SKILLS.COM" created.
kadmin.local:  addprinc -randkey nfs/tomcat.skills.com
No policy specified for nfs/tomcat.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/tomcat.skills.com@SKILLS.COM" created.
kadmin.local:  ktadd nfs/apache.skills.com
Entry for principal nfs/apache.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  listprincs   #查看
K/M@SKILLS.COM
kadmin/admin@SKILLS.COM
kadmin/apache.skills.com@SKILLS.COM
kadmin/changepw@SKILLS.COM
kiprop/apache.skills.com@SKILLS.COM
krbtgt/SKILLS.COM@SKILLS.COM
nfs/apache.skills.com@SKILLS.COM
nfs/tomcat.skills.com@SKILLS.COM
root/admin@SKILLS.COM
kadmin.local:  q    
[root@localhost yum.repos.d]# systemctl enable krb5kdc kadmin   #加入开机启动
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.

按照我的题目是要给/srv/tmp目录添加粘滞位的，让其他的用户无法删除别的用户的文件，而粉丝的那道题是不用的

[root@localhost krb5kdc]# mkdir -p /srv/share
[root@localhost krb5kdc]# mkdir -p /srv/tmp  
[root@localhost krb5kdc]# cd 
[root@localhost ~]# chmod -Rf 777 /srv/   #添加777权限
[root@localhost ~]# ls -l /srv/
total 0
drwxrwxrwx. 2 root root 6 Oct 10 08:03 share
drwxrwxrwx. 2 root root 6 Oct 10 08:03 tmp
[root@localhost ~]# chmod o+t /srv/tmp/   #o是其他用户，t是粘滞位（其他用户不能删除别的用户的文件，只能自己删自己的）
[root@localhost ~]# ls -l /srv/
total 0
drwxrwxrwx. 2 root root 6 Oct 10 08:03 share
drwxrwxrwt. 2 root root 6 Oct 10 08:03 tmp  #添加粘滞位后可以看到最后的x变成了t

按照这俩个题目来说就是要创建一个tom用户，然后映射成它。我的题目还要修改用户tom的UID和GID，而粉丝的不用，但不过跟我的一样解答。再就是按照粉丝的题目一下查看root用户，将id记住，等一下有用。

[root@localhost ~]# useradd tom   #创建用户tom
[root@localhost ~]# id tom  #查看tom的id
uid=1001(tom) gid=1001(tom) groups=1001(tom)
[root@localhost ~]# usermod  -u 222 tom   #更改tom的uid
[root@localhost ~]# groupmod  -g 222 tom    #更改tom的gid
[root@localhost ~]# id tom  
uid=222(tom) gid=222(tom) groups=222(tom)
[root@localhost ~]# id root   
uid=0(root) gid=0(root) groups=0(root)

修改/etc/exports配置文件，配置文件的讲解在下面，配置完后就是保存退出，然后重启服务，差点忘了还有修改tom的家目录，对了所有用户的就不加密了

[root@localhost ~]# vim /etc/exports
/srv/share 20.20.20.0/24(rw,sync,all_squash,root=squash,anonuid=222,anongid=222,sec=krb5p) *(ro,sync)
/srv/tmp *(rw,sync,root_squash,anonuid=0,anongid=0)
[root@localhost ~]# mv /home/tom/ /home/tomdir  #修改tom用户的家目录
[root@localhost ~]# systemctl restart rpcbind.service   #必须要先重启这个服务，不然客服机就找不到路径的
[root@localhost ~]# systemctl restart nfs-server.service  #重启nfs服务 
[root@localhost ~]# showmount -e 20.20.20.22  #查看nfs可挂载文件
Export list for 20.20.20.22:
/srv/tmp   *
/srv/share (everyone)

rw：read-write，可读写；
ro：read-only，只读；
sync：文件同时写入硬盘和内存；
async：文件暂存于内存，而不是直接写入内存；
no_root_squash：NFS客户端连接服务端时如果使用的是root的话，那么对服务端分享的目录来说，也拥有root权限。显然开启这项是不安全的。
root_squash：NFS客户端连接服务端时如果使用的是root的话，那么对服务端分享的目录来说，拥有匿名用户权限，通常他将使用nobody或nfsnobody身份；
all_squash：不论NFS客户端连接服务端时使用什么用户，对服务端分享的目录来说都是拥有匿名用户权限；
anonuid：匿名用户的UID值，通常是nobody或nfsnobody，可以在此处自行设定；
anongid：匿名用户的GID值。
sec：加密方式。

将krb5.conf文件发给客服机

[root@localhost ~]# scp /etc/krb5.conf  root@20.20.20.23:/etc/krb5.conf
The authenticity of host '20.20.20.23 (20.20.20.23)' can't be established.
ECDSA key fingerprint is SHA256:5DAaR8QYev6CIdwEPTbZ5Aktl7xPJqzQvnpgX5PRZKY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '20.20.20.23' (ECDSA) to the list of known hosts.
root@20.20.20.23's password: 
krb5.conf                                                                100%  978   691.0KB/s   00:00

如果不理解可以私信博主解答

客服机：

安装krb5服务和nfs服务，命令：

yum install -y *krb5*
yum install -y *nfs*

登录kdc数据库，下载key

[root@localhost ~]# kadmin
Authenticating as principal root/admin@SKILLS.COM with password.
Password for root/admin@SKILLS.COM: 
kadmin:  ktadd nfs/tomcat.skills.com
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.

重启nfs服务，查看可挂载文件，然后创建挂载文件夹，进行挂载，在使用命令查看一下是否挂载成功

[root@localhost ~]# systemctl restart nfs-utils.service 
[root@localhost ~]# showmount -e 20.20.20.22
Export list for 20.20.20.22:
/srv/tmp   *
/srv/share (everyone)
[root@localhost ~]# mkdir /nfs
[root@localhost ~]# vim /etc/fstab 
# /etc/fstab
# Created by anaconda on Fri Sep 30 17:03:51 2022
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rl-root     /                       xfs     defaults        0 0
UUID=d0a0c348-978d-4e45-a6a1-180671711e93 /boot                   xfs     defaults        0 0
/dev/mapper/rl-swap     none                    swap    defaults        0 0
/dev/cdrom   /mnt/cdrom    iso9660   defaults   0 0
20.20.20.22:/srv /nfs nfs defaults 0 0
[root@localhost ~]# mount -a
[root@localhost ~]# df
Filesystem          1K-blocks     Used Available Use% Mounted on
devtmpfs               381692        0    381692   0% /dev
tmpfs                  412016        0    412016   0% /dev/shm
tmpfs                  412016    11760    400256   3% /run
tmpfs                  412016        0    412016   0% /sys/fs/cgroup
/dev/mapper/rl-root  17811456  7138920  10672536  41% /
/dev/nvme0n1p1        1038336   260224    778112  26% /boot
tmpfs                   82400       52     82348   1% /run/user/0
/dev/sr0             10950568 10950568         0 100% /mnt/cdrom
20.20.20.22:/srv     17811456  7165056  10646400  41% /nfs

我就先解到这，剩下的改天就发。

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。