昨天有个粉丝在一个群里问一个这样的问题,如图:
然后我也有一个类似的问题,如图:
经过比对可以看到我的这个更详细一点,也更简单一点,于是我就在我的题目上加一点改动,就是加上粉丝那道题的加密。
那位粉丝最后我了解了一下还是不懂题意,理解也有错误盲区,我就先给大家讲解一下题目的意思,按照粉丝的题目讲,配置linux3为nfs服务,然后创建一个名为/srv/share和/srv/tmp的共享目录,其中/srv/share目录要让指定的网段用户能够读写,并且还有将所有用户映射为tom用户,还有kdc加密(krb5p);然后就是/srv/tmp就是所有的用户都可以读写,还包括root用户,再就是每个用户不会改变身份,还要kdc加密(krb5p)。我说的这些都是要在/etc/exports文件里写。但不过也怪我,没和那个粉丝说清楚。
第八题就很简单,字面意思凡是会点linux的都会弄,我也就不讲了,现在就在我的题目上添加一个要/srv/share文件kdc加密(krb5p),题目也是很详解,就不多说了,开始解题:
服务端(nfs和kdc):
首先我们先要安装krb5加密服务
[root@localhost yum.repos.d]# yum install -y *krb5*
Last metadata expiration check: 0:21:16 ago on Mon 10 Oct 2022 05:36:03 AM EDT.
Package krb5-devel-1.18.2-14.el8.x86_64 is already installed.
Package krb5-libs-1.18.2-14.el8.x86_64 is already installed.
Package sssd-krb5-2.6.2-3.el8.x86_64 is already installed.
Package sssd-krb5-common-2.6.2-3.el8.x86_64 is already installed.
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Installing:
freeradius-krb5 x86_64 3.0.20-12.module+el8.6.0+798+87c3dbe0 AppStream 87 k
krb5-pkinit x86_64 1.18.2-14.el8 BaseOS 174 k
krb5-server x86_64 1.18.2-14.el8 BaseOS 1.1 M
krb5-server-ldap x86_64 1.18.2-14.el8 BaseOS 204 k
krb5-workstation x86_64 1.18.2-14.el8 BaseOS 956 k
samba-krb5-printing x86_64 4.15.5-5.el8 BaseOS 100 k
samba-winbind-krb5-locator x86_64 4.15.5-5.el8 BaseOS 103 k
Installing dependencies:
freeradius x86_64 3.0.20-12.module+el8.6.0+798+87c3dbe0 AppStream 1.1 M
make x86_64 1:4.2.1-11.el8 BaseOS 497 k
python3-dns noarch 1.15.0-10.el8 BaseOS 252 k
python3-ldb x86_64 2.4.1-1.el8 BaseOS 64 k
python3-samba x86_64 4.15.5-5.el8 BaseOS 3.3 M
python3-talloc x86_64 2.3.3-1.el8 BaseOS 28 k
python3-tdb x86_64 1.4.4-1.el8 BaseOS 28 k
python3-tevent x86_64 0.11.0-0.el8 BaseOS 25 k
samba x86_64 4.15.5-5.el8 BaseOS 867 k
samba-client x86_64 4.15.5-5.el8 BaseOS 714 k
samba-common-tools x86_64 4.15.5-5.el8 BaseOS 521 k
samba-libs x86_64 4.15.5-5.el8 BaseOS 174 k
samba-winbind x86_64 4.15.5-5.el8 BaseOS 557 k
samba-winbind-modules x86_64 4.15.5-5.el8 BaseOS 131 k
tdb-tools x86_64 1.4.4-1.el8 BaseOS 42 k
Enabling module streams:
freeradius 3.0
Transaction Summary
===================================================================================================================================================================================================================
Install 22 Packages
Total size: 11 M
Installed size: 37 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : samba-libs-4.15.5-5.el8.x86_64 1/22
Installing : python3-tdb-1.4.4-1.el8.x86_64 2/22
Installing : python3-ldb-2.4.1-1.el8.x86_64 3/22
Installing : samba-winbind-modules-4.15.5-5.el8.x86_64 4/22
Installing : tdb-tools-1.4.4-1.el8.x86_64 5/22
Installing : samba-client-4.15.5-5.el8.x86_64 6/22
Running scriptlet: samba-client-4.15.5-5.el8.x86_64 6/22
Installing : python3-tevent-0.11.0-0.el8.x86_64 7/22
Installing : python3-talloc-2.3.3-1.el8.x86_64 8/22
Installing : python3-dns-1.15.0-10.el8.noarch 9/22
Installing : samba-4.15.5-5.el8.x86_64 10/22
Running scriptlet: samba-4.15.5-5.el8.x86_64 10/22
Installing : python3-samba-4.15.5-5.el8.x86_64 11/22
Installing : samba-common-tools-4.15.5-5.el8.x86_64 12/22
Running scriptlet: samba-winbind-4.15.5-5.el8.x86_64 13/22
Installing : samba-winbind-4.15.5-5.el8.x86_64 13/22
Running scriptlet: samba-winbind-4.15.5-5.el8.x86_64 13/22
Installing : make-1:4.2.1-11.el8.x86_64 14/22
Running scriptlet: make-1:4.2.1-11.el8.x86_64 14/22
Running scriptlet: freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 15/22
Installing : freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 15/22
Running scriptlet: freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 15/22
Installing : krb5-server-1.18.2-14.el8.x86_64 16/22
Running scriptlet: krb5-server-1.18.2-14.el8.x86_64 16/22
Installing : krb5-server-ldap-1.18.2-14.el8.x86_64 17/22
Installing : freeradius-krb5-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 18/22
Installing : samba-winbind-krb5-locator-4.15.5-5.el8.x86_64 19/22
Running scriptlet: samba-winbind-krb5-locator-4.15.5-5.el8.x86_64 19/22
Installing : samba-krb5-printing-4.15.5-5.el8.x86_64 20/22
Running scriptlet: samba-krb5-printing-4.15.5-5.el8.x86_64 20/22
Installing : krb5-workstation-1.18.2-14.el8.x86_64 21/22
Installing : krb5-pkinit-1.18.2-14.el8.x86_64 22/22
Running scriptlet: krb5-pkinit-1.18.2-14.el8.x86_64 22/22
Verifying : krb5-pkinit-1.18.2-14.el8.x86_64 1/22
Verifying : krb5-server-1.18.2-14.el8.x86_64 2/22
Verifying : krb5-server-ldap-1.18.2-14.el8.x86_64 3/22
Verifying : krb5-workstation-1.18.2-14.el8.x86_64 4/22
Verifying : make-1:4.2.1-11.el8.x86_64 5/22
Verifying : python3-dns-1.15.0-10.el8.noarch 6/22
Verifying : python3-ldb-2.4.1-1.el8.x86_64 7/22
Verifying : python3-samba-4.15.5-5.el8.x86_64 8/22
Verifying : python3-talloc-2.3.3-1.el8.x86_64 9/22
Verifying : python3-tdb-1.4.4-1.el8.x86_64 10/22
Verifying : python3-tevent-0.11.0-0.el8.x86_64 11/22
Verifying : samba-4.15.5-5.el8.x86_64 12/22
Verifying : samba-client-4.15.5-5.el8.x86_64 13/22
Verifying : samba-common-tools-4.15.5-5.el8.x86_64 14/22
Verifying : samba-krb5-printing-4.15.5-5.el8.x86_64 15/22
Verifying : samba-libs-4.15.5-5.el8.x86_64 16/22
Verifying : samba-winbind-4.15.5-5.el8.x86_64 17/22
Verifying : samba-winbind-krb5-locator-4.15.5-5.el8.x86_64 18/22
Verifying : samba-winbind-modules-4.15.5-5.el8.x86_64 19/22
Verifying : tdb-tools-1.4.4-1.el8.x86_64 20/22
Verifying : freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 21/22
Verifying : freeradius-krb5-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 22/22
Installed:
freeradius-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 freeradius-krb5-3.0.20-12.module+el8.6.0+798+87c3dbe0.x86_64 krb5-pkinit-1.18.2-14.el8.x86_64 krb5-server-1.18.2-14.el8.x86_64
krb5-server-ldap-1.18.2-14.el8.x86_64 krb5-workstation-1.18.2-14.el8.x86_64 make-1:4.2.1-11.el8.x86_64 python3-dns-1.15.0-10.el8.noarch
python3-ldb-2.4.1-1.el8.x86_64 python3-samba-4.15.5-5.el8.x86_64 python3-talloc-2.3.3-1.el8.x86_64 python3-tdb-1.4.4-1.el8.x86_64
python3-tevent-0.11.0-0.el8.x86_64 samba-4.15.5-5.el8.x86_64 samba-client-4.15.5-5.el8.x86_64 samba-common-tools-4.15.5-5.el8.x86_64
samba-krb5-printing-4.15.5-5.el8.x86_64 samba-libs-4.15.5-5.el8.x86_64 samba-winbind-4.15.5-5.el8.x86_64 samba-winbind-krb5-locator-4.15.5-5.el8.x86_64
samba-winbind-modules-4.15.5-5.el8.x86_64 tdb-tools-1.4.4-1.el8.x86_64
Complete!
再就是安装nfs服务
[root@localhost yum.repos.d]# yum install -y *nfs*
Last metadata expiration check: 0:24:50 ago on Mon 10 Oct 2022 05:36:03 AM EDT.
Package libnfsidmap-1:2.3.3-51.el8.x86_64 is already installed.
Package nfs-utils-1:2.3.3-51.el8.x86_64 is already installed.
Package sssd-nfs-idmap-2.6.2-3.el8.x86_64 is already installed.
Dependencies resolved.
===================================================================================================================================================================================================================
Package Architecture Version Repository Size
===================================================================================================================================================================================================================
Installing:
nfs4-acl-tools x86_64 0.3.5-3.el8 BaseOS 53 k
pcp-pmda-nfsclient x86_64 5.3.5-8.el8 AppStream 54 k
texlive-mfnfss noarch 7:20180414-25.el8 AppStream 195 k
texlive-psnfss noarch 7:20180414-25.el8 AppStream 528 k
Installing dependencies:
perl-Filter x86_64 2:1.58-2.el8 AppStream 81 k
perl-Text-Unidecode noarch 1.30-5.el8 AppStream 148 k
perl-XML-Parser x86_64 2.44-11.el8 AppStream 225 k
perl-XML-XPath noarch 1.42-3.el8 AppStream 87 k
perl-encoding x86_64 4:2.22-3.el8 AppStream 67 k
perl-open noarch 1.11-421.el8 AppStream 77 k
texlive-base noarch 7:20180414-25.el8 AppStream 2.4 M
texlive-graphics noarch 7:20180414-25.el8 AppStream 2.0 M
texlive-graphics-cfg noarch 7:20180414-25.el8 AppStream 26 k
texlive-hyphen-base noarch 7:20180414-25.el8 AppStream 46 k
texlive-kpathsea x86_64 7:20180414-25.el8 AppStream 1.1 M
texlive-lib x86_64 7:20180414-25.el8 AppStream 540 k
texlive-tetex noarch 7:20180414-25.el8 AppStream 402 k
texlive-texlive.infra noarch 7:20180414-25.el8 AppStream 279 k
Transaction Summary
===================================================================================================================================================================================================================
Install 18 Packages
Total size: 8.2 M
Installed size: 24 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: texlive-base-7:20180414-25.el8.noarch 1/18
Installing : texlive-base-7:20180414-25.el8.noarch 1/18
Installing : perl-XML-Parser-2.44-11.el8.x86_64 2/18
Installing : texlive-lib-7:20180414-25.el8.x86_64 3/18
Installing : perl-Text-Unidecode-1.30-5.el8.noarch 4/18
Installing : perl-Filter-2:1.58-2.el8.x86_64 5/18
Installing : perl-encoding-4:2.22-3.el8.x86_64 6/18
Installing : perl-open-1.11-421.el8.noarch 7/18
Installing : perl-XML-XPath-1.42-3.el8.noarch 8/18
Installing : texlive-texlive.infra-7:20180414-25.el8.noarch 9/18
Installing : texlive-tetex-7:20180414-25.el8.noarch 10/18
Installing : texlive-kpathsea-7:20180414-25.el8.x86_64 11/18
Running scriptlet: texlive-kpathsea-7:20180414-25.el8.x86_64 11/18
Installing : texlive-graphics-cfg-7:20180414-25.el8.noarch 12/18
Installing : texlive-graphics-7:20180414-25.el8.noarch 13/18
Installing : texlive-hyphen-base-7:20180414-25.el8.noarch 14/18
Installing : texlive-psnfss-7:20180414-25.el8.noarch 15/18
Installing : texlive-mfnfss-7:20180414-25.el8.noarch 16/18
Installing : pcp-pmda-nfsclient-5.3.5-8.el8.x86_64 17/18
Installing : nfs4-acl-tools-0.3.5-3.el8.x86_64 18/18
Running scriptlet: texlive-base-7:20180414-25.el8.noarch 18/18
Running scriptlet: nfs4-acl-tools-0.3.5-3.el8.x86_64 18/18
Running scriptlet: texlive-kpathsea-7:20180414-25.el8.x86_64 18/18
Verifying : nfs4-acl-tools-0.3.5-3.el8.x86_64 1/18
Verifying : pcp-pmda-nfsclient-5.3.5-8.el8.x86_64 2/18
Verifying : perl-Filter-2:1.58-2.el8.x86_64 3/18
Verifying : perl-Text-Unidecode-1.30-5.el8.noarch 4/18
Verifying : perl-XML-Parser-2.44-11.el8.x86_64 5/18
Verifying : perl-XML-XPath-1.42-3.el8.noarch 6/18
Verifying : perl-encoding-4:2.22-3.el8.x86_64 7/18
Verifying : perl-open-1.11-421.el8.noarch 8/18
Verifying : texlive-base-7:20180414-25.el8.noarch 9/18
Verifying : texlive-graphics-7:20180414-25.el8.noarch 10/18
Verifying : texlive-graphics-cfg-7:20180414-25.el8.noarch 11/18
Verifying : texlive-hyphen-base-7:20180414-25.el8.noarch 12/18
Verifying : texlive-kpathsea-7:20180414-25.el8.x86_64 13/18
Verifying : texlive-lib-7:20180414-25.el8.x86_64 14/18
Verifying : texlive-mfnfss-7:20180414-25.el8.noarch 15/18
Verifying : texlive-psnfss-7:20180414-25.el8.noarch 16/18
Verifying : texlive-tetex-7:20180414-25.el8.noarch 17/18
Verifying : texlive-texlive.infra-7:20180414-25.el8.noarch 18/18
Installed:
nfs4-acl-tools-0.3.5-3.el8.x86_64 pcp-pmda-nfsclient-5.3.5-8.el8.x86_64 perl-Filter-2:1.58-2.el8.x86_64 perl-Text-Unidecode-1.30-5.el8.noarch
perl-XML-Parser-2.44-11.el8.x86_64 perl-XML-XPath-1.42-3.el8.noarch perl-encoding-4:2.22-3.el8.x86_64 perl-open-1.11-421.el8.noarch
texlive-base-7:20180414-25.el8.noarch texlive-graphics-7:20180414-25.el8.noarch texlive-graphics-cfg-7:20180414-25.el8.noarch texlive-hyphen-base-7:20180414-25.el8.noarch
texlive-kpathsea-7:20180414-25.el8.x86_64 texlive-lib-7:20180414-25.el8.x86_64 texlive-mfnfss-7:20180414-25.el8.noarch texlive-psnfss-7:20180414-25.el8.noarch
texlive-tetex-7:20180414-25.el8.noarch texlive-texlive.infra-7:20180414-25.el8.noarch
Complete!
然后就是加个域名,因为加密时候可能要的
[root@localhost ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
20.20.20.22 apache.skills.com skills.com
将文件里所有的example.com改成自己的,该大写的都要大写
[root@localhost ~]# vim /etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = SKILLS.COM
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
llow-weak-crypto = true
denctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default-tkt-enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
udp_preference_limit = 0
default_realm = SKILLS.COM
[realms]
SKILLS.COM = {
kdc = apache.skills.com
admin_server = apache.skills.com
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
.skills.com=SKILLS.COM
skills.com=SKILLS.COM
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@localhost yum.repos.d]# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@SKILLS.COM *
[root@localhost yum.repos.d]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
spake_preauth_kdc_challenge = edwards25519
[realms]
SKILLS.COM=
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal
}
然后就是初始化数据库,在这里切记域名一定要大写,开启服务
[root@localhost krb5kdc]# kdb5_util create -s -r SKILLS.COM #域名必须大写,不然会报错的
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SKILLS.COM',
master key name 'K/M@SKILLS.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: #密码随便输入
Re-enter KDC database master key to verify:
[root@localhost krb5kdc]# systemctl restart kadmin.service krb5kdc.service #重启两个服务
创建服务端的key和客服端的key,然后将自己的key下载下来
[root@localhost krb5kdc]# kadmin.local
Authenticating as principal root/admin@SKILLS.COM with password.
kadmin.local: addprinc root/admin #添加Kerberos用户root并免密
No policy specified for root/admin@SKILLS.COM; defaulting to no policy
Enter password for principal "root/admin@SKILLS.COM":
Re-enter password for principal "root/admin@SKILLS.COM":
Principal "root/admin@SKILLS.COM" created.
kadmin.local: addprinc -randkey nfs/apache.skills.com #随机生成key
No policy specified for nfs/apache.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/apache.skills.com@SKILLS.COM" created.
kadmin.local: addprinc -randkey nfs/tomcat.skills.com
No policy specified for nfs/tomcat.skills.com@SKILLS.COM; defaulting to no policy
Principal "nfs/tomcat.skills.com@SKILLS.COM" created.
kadmin.local: ktadd nfs/apache.skills.com
Entry for principal nfs/apache.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/apache.skills.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
kadmin.local: listprincs #查看
K/M@SKILLS.COM
kadmin/admin@SKILLS.COM
kadmin/apache.skills.com@SKILLS.COM
kadmin/changepw@SKILLS.COM
kiprop/apache.skills.com@SKILLS.COM
krbtgt/SKILLS.COM@SKILLS.COM
nfs/apache.skills.com@SKILLS.COM
nfs/tomcat.skills.com@SKILLS.COM
root/admin@SKILLS.COM
kadmin.local: q
[root@localhost yum.repos.d]# systemctl enable krb5kdc kadmin #加入开机启动
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.
按照我的题目是要给/srv/tmp目录添加粘滞位的,让其他的用户无法删除别的用户的文件,而粉丝的那道题是不用的
[root@localhost krb5kdc]# mkdir -p /srv/share
[root@localhost krb5kdc]# mkdir -p /srv/tmp
[root@localhost krb5kdc]# cd
[root@localhost ~]# chmod -Rf 777 /srv/ #添加777权限
[root@localhost ~]# ls -l /srv/
total 0
drwxrwxrwx. 2 root root 6 Oct 10 08:03 share
drwxrwxrwx. 2 root root 6 Oct 10 08:03 tmp
[root@localhost ~]# chmod o+t /srv/tmp/ #o是其他用户,t是粘滞位(其他用户不能删除别的用户的文件,只能自己删自己的)
[root@localhost ~]# ls -l /srv/
total 0
drwxrwxrwx. 2 root root 6 Oct 10 08:03 share
drwxrwxrwt. 2 root root 6 Oct 10 08:03 tmp #添加粘滞位后可以看到最后的x变成了t
按照这俩个题目来说就是要创建一个tom用户,然后映射成它。我的题目还要修改用户tom的UID和GID,而粉丝的不用,但不过跟我的一样解答。再就是按照粉丝的题目一下查看root用户,将id记住,等一下有用。
[root@localhost ~]# useradd tom #创建用户tom
[root@localhost ~]# id tom #查看tom的id
uid=1001(tom) gid=1001(tom) groups=1001(tom)
[root@localhost ~]# usermod -u 222 tom #更改tom的uid
[root@localhost ~]# groupmod -g 222 tom #更改tom的gid
[root@localhost ~]# id tom
uid=222(tom) gid=222(tom) groups=222(tom)
[root@localhost ~]# id root
uid=0(root) gid=0(root) groups=0(root)
修改/etc/exports配置文件,配置文件的讲解在下面,配置完后就是保存退出,然后重启服务,差点忘了还有修改tom的家目录,对了所有用户的就不加密了
[root@localhost ~]# vim /etc/exports
/srv/share 20.20.20.0/24(rw,sync,all_squash,root=squash,anonuid=222,anongid=222,sec=krb5p) *(ro,sync)
/srv/tmp *(rw,sync,root_squash,anonuid=0,anongid=0)
[root@localhost ~]# mv /home/tom/ /home/tomdir #修改tom用户的家目录
[root@localhost ~]# systemctl restart rpcbind.service #必须要先重启这个服务,不然客服机就找不到路径的
[root@localhost ~]# systemctl restart nfs-server.service #重启nfs服务
[root@localhost ~]# showmount -e 20.20.20.22 #查看nfs可挂载文件
Export list for 20.20.20.22:
/srv/tmp *
/srv/share (everyone)
rw:read-write,可读写;
ro:read-only,只读;
sync:文件同时写入硬盘和内存;
async:文件暂存于内存,而不是直接写入内存;
no_root_squash:NFS客户端连接服务端时如果使用的是root的话,那么对服务端分享的目录来说,也拥有root权限。显然开启这项是不安全的。
root_squash:NFS客户端连接服务端时如果使用的是root的话,那么对服务端分享的目录来说,拥有匿名用户权限,通常他将使用nobody或nfsnobody身份;
all_squash:不论NFS客户端连接服务端时使用什么用户,对服务端分享的目录来说都是拥有匿名用户权限;
anonuid:匿名用户的UID值,通常是nobody或nfsnobody,可以在此处自行设定;
anongid:匿名用户的GID值。
sec:加密方式。
将krb5.conf文件发给客服机
[root@localhost ~]# scp /etc/krb5.conf root@20.20.20.23:/etc/krb5.conf
The authenticity of host '20.20.20.23 (20.20.20.23)' can't be established.
ECDSA key fingerprint is SHA256:5DAaR8QYev6CIdwEPTbZ5Aktl7xPJqzQvnpgX5PRZKY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '20.20.20.23' (ECDSA) to the list of known hosts.
root@20.20.20.23's password:
krb5.conf 100% 978 691.0KB/s 00:00
如果不理解可以私信博主解答
客服机:
安装krb5服务和nfs服务,命令:
yum install -y *krb5*
yum install -y *nfs*
登录kdc数据库,下载key
[root@localhost ~]# kadmin
Authenticating as principal root/admin@SKILLS.COM with password.
Password for root/admin@SKILLS.COM:
kadmin: ktadd nfs/tomcat.skills.com
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/tomcat.skills.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
重启nfs服务,查看可挂载文件,然后创建挂载文件夹,进行挂载,在使用命令查看一下是否挂载成功
[root@localhost ~]# systemctl restart nfs-utils.service
[root@localhost ~]# showmount -e 20.20.20.22
Export list for 20.20.20.22:
/srv/tmp *
/srv/share (everyone)
[root@localhost ~]# mkdir /nfs
[root@localhost ~]# vim /etc/fstab
# /etc/fstab
# Created by anaconda on Fri Sep 30 17:03:51 2022
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rl-root / xfs defaults 0 0
UUID=d0a0c348-978d-4e45-a6a1-180671711e93 /boot xfs defaults 0 0
/dev/mapper/rl-swap none swap defaults 0 0
/dev/cdrom /mnt/cdrom iso9660 defaults 0 0
20.20.20.22:/srv /nfs nfs defaults 0 0
[root@localhost ~]# mount -a
[root@localhost ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 381692 0 381692 0% /dev
tmpfs 412016 0 412016 0% /dev/shm
tmpfs 412016 11760 400256 3% /run
tmpfs 412016 0 412016 0% /sys/fs/cgroup
/dev/mapper/rl-root 17811456 7138920 10672536 41% /
/dev/nvme0n1p1 1038336 260224 778112 26% /boot
tmpfs 82400 52 82348 1% /run/user/0
/dev/sr0 10950568 10950568 0 100% /mnt/cdrom
20.20.20.22:/srv 17811456 7165056 10646400 41% /nfs
我就先解到这,剩下的改天就发。