nfs 以及利用kerberos保护nfs输出

1.nfs概念

1.网络文件系统(NFS)是Unix系统和网络附加存储文件管理器常用的网络文件系统,允许多个客户端通过网络共享文件访问。它可用于提供对共享二进制目录的访问,也可用于允许用户在同一工作组中从不同客户端访问其文件。
2.NFS协议有多个版本:Linux支持版本4、版本3和版本2, 而大多数系统管理员熟悉的是NFSv3。默认情况下,该协议并不安全,但是更新的版本(如NFSv4)提供了对更安全的身份验证的支持,甚至可以通过kerberos进行加密。

2.nfs服务器配置

若要配置基本NFS服务器,先应该安装nfs-utils软件包。然后,编辑/etc/exports列出通过网络与客户端系统共享的文件系统,并指出哪些客户端对导出具有何种访问权限

########1.安装以及配置#########

[[email protected] ~]# yum install nfs-util -y

[[email protected] ~]# systemctl start nfs-server

[[email protected] ~]# systemctl enable nfs-server
[[email protected] ~]# systemctl status firewalld
[[email protected] ~]# firewall-cmd --permanent --add-service=rpc-bind
success
[[email protected] ~]# firewall-cmd --permanent --add-service=nfs
success
[[email protected] ~]# firewall-cmd --permanent --add-service=mountd
success
[[email protected] ~]# firewall-cmd --reload
success

############2.建立共享目录#############
[[email protected] ~]# mkdir /public/public   *(sync)

[[email protected] ~]# touch /public/westostest{1..3}
[[email protected] ~]# vim /etc/exports ##man 5 exports
/public    *(sync) ##public共享给所有人并且数据同步

[[email protected] ~]# chmod 777 /public
[[email protected] ~]# vim /etc/exports
[[email protected] ~]# exportfs -rv   ##对配置的文件进行刷新，一定不能重启nfs服务，那样会导致服务卡住，这是已知的bug

exporting *:/public
[[email protected] ~]# vim /etc/exports
/public      172.25.4.10/24(sync) ##public共享给172.25.4.10/24网段
[[email protected] ~]# exportfs -rv
exporting 172.25.4.10/24:/public
[[email protected] ~]# vim /etc/exports
/public      *.example.com(sync)
[[email protected] ~]# exportfs -rv
exporting *.example.com:/public
[[email protected] ~]# vim /etc/exports
/public      172.25.4.11(rw,sync)
[[email protected] ~]# exportfs -rv
exporting 172.25.4.11:/public
[[email protected] ~]# vim /etc/exports
/public      172.25.4.10(sync)172.25.254.4(rw,sync,no_root_squash)
[[email protected] ~]# exportfs -rv
exporting 172.25.4.10:/public
exporting 172.25.254.4:/public
[[email protected] ~]# vim /etc/exports
/public     *(rync,anonuid=1001,anongid=1000)
[[email protected] ~]# exportfs -rv
exportfs: /etc/exports:1: unknown keyword "rync"

测试：

[[email protected] ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
[[email protected] ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public *
[[email protected] ~]# mount 172.25.4.11:/public /mnt
[[email protected] ~]# cd /mnt
[[email protected] mnt]# ls
westostest1 westostest2 westostest3
[[email protected] mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[[email protected] mnt]# cd
[[email protected] ~]# umount /mnt/
[[email protected] ~]# mount 172.25.4.11:/public /mnt
[[email protected] ~]# df
Filesystem          1K-blocks    Used Available Use% Mounted on
/dev/vda1            104739003805844   6668056 37% /
devtmpfs               481120       0   481120   0% /dev
tmpfs                  496708     140   496568   1% /dev/shm
tmpfs                  496708   13152   483556   3% /run
tmpfs                  496708       0   496708   0% /sys/fs/cgroup
/dev/sr0              36547203654720         0 100%/run/media/root/RHEL-7.0 Server.x86_64
172.25.4.11:/public 104739843129472   7344512 30% /mnt
[[email protected] ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public 172.25.4.10/24
[[email protected] ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public *.example.com
[[email protected] ~]# mount 172.25.4.11:/public /mnt
[[email protected] ~]# df
Filesystem          1K-blocks    Used Available Use% Mounted on
/dev/vda1            104739003805900 6668000 37% /
devtmpfs               481120       0   481120   0% /dev
tmpfs                  496708     140   496568   1% /dev/shm
tmpfs                  496708   13152   483556   3% /run
tmpfs                  496708       0   496708   0% /sys/fs/cgroup
/dev/sr0              36547203654720         0 100%/run/media/root/RHEL-7.0 Server.x86_64
172.25.4.11:/public 104739843129472   7344512 30% /mnt
[[email protected] ~]# cd /mnt
[[email protected] mnt]# touch file
touch: cannot touch ‘file’: Read-only file system
[[email protected] ~]# umount /mnt
[[email protected] ~]# showmount -e 172.25.4.11
Export list for 172.25.4.11:
/public 172.25.4.11
[[email protected] ~]# mount 172.25.4.11:/public /mnt
mount.nfs: access denied by server while mounting 172.25.4.11:/public
[[email protected] ~]# df
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/vda1       10473900 3805848   6668052 37% /
devtmpfs          481120       0   481120   0% /dev
tmpfs             496708     140   496568   1% /dev/shm
tmpfs             496708   13152   483556   3% /run
tmpfs             496708       0   496708   0% /sys/fs/cgroup
/dev/sr0         3654720 3654720         0 100% /run/media/root/RHEL-7.0Server.x86_64
[[email protected] ~]# cd /mnt
[[email protected] mnt]# touch file
[[email protected] mnt]# ls
file

永久挂载：

[root@nfs-client ~]# vim /etc/fstab

172.25.254.10:/public /mnt nfs defaults 0 0
################3.利用kerberos保护nfs输出################
[[email protected] ~]# yum install sssd krb5-workstation authconfig-gtk -y
[[email protected] ~]# logout.
[[email protected] Desktop]$ ssh [email protected] -X ##开启图形界面

nfs 以及利用kerberos保护nfs输出
[[email protected] ~]# authconfig-gtk                       ##在server上开启kerberos认证，得到ldap用户
[[email protected] ~]# su - student
[[email protected] ~]$ su - ldapuser1
Password:                                              ##密码为kerberos
Last login: Sat Jun 3 23:09:10 EDT 2017on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1701:krb_ccache_ht7k2SR
Default principal: [email protected]            ##证书

Valid starting       Expires              Service principal
06/03/2017 23:09:43 06/04/201723:09:43 krbtgt/[email protected]
    renew until 06/03/2017 23:09:43
-bash-4.2$ logout
[[email protected] ~]$ su - root
[[email protected] ~]# ls
anaconda-ks.cfg Documents Music    Public     Videos
Desktop          Downloads Pictures Templates
[[email protected] ~]# wget http://172.25.254.254/pub/keytabs/server4.keytab -O/etc/krb5.keytab
--2017-06-03 23:15:07-- http://172.25.254.254/pub/keytabs/server4.keytab
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1242 (1.2K)
Saving to: ‘/etc/krb5.keytab’

100%[=============================>] 1,242       --.-K/s  in 0s

2017-06-03 23:15:07 (141 MB/s) - ‘/etc/krb5.keytab’ saved [1242/1242]

[[email protected] ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- -------------------------------------------------------------------------
   1   3     host/[email protected]
   2   3    host/[email protected]
   3   3    host/[email protected]
   4   3    host/[email protected]
   5   3    host/[email protected]
   6   3     host/[email protected]
   7   3    host/[email protected]
   8   3    host/[email protected]
   9   3     nfs/[email protected]
10   3     nfs/[email protected]
11   3      nfs/[email protected]
12   3     nfs/[email protected]
13   3     nfs/[email protected]
14   3     nfs/[email protected]
15   3     nfs/[email protected]
16   3      nfs/[email protected]
ktutil:
[[email protected] ~]# systemctl restart nfs-secure-server
[[email protected] ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service''/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[[email protected] ~]# vim /etc/exports
/public      *(rw,sec=krb5p)
[[email protected] ~]# exportfs -rv
exporting *:/public

同理在客户端desktop开启kerberos认证，得到ldap用户

客户端：
[[email protected] ~]# systemctl start nfs-secure
[[email protected] ~]# systemctl enable nfs-secure
Created symlink from /etc/systemd/system/nfs.target.wants/nfs-secure.service to/usr/lib/systemd/system/nfs-secure.service.
[[email protected] ~]# vim /etc/sysconfig/nfs

13 RPCNFSDARGS="-V 4.2"

[[email protected] ~]# systemctl restart nfs

在服务端[[email protected] ~]# systemctl restartnfs-secure-server.service

[[email protected] ~]# mount 172.25.4.11:/public /mnt -o sec=krb5p
[[email protected] ~]# df
Filesystem          1K-blocks    Used Available Use% Mounted on
/dev/vda1            104739003870748   6603152 37% /
devtmpfs               481120       0   481120   0% /dev
tmpfs                  496708     140   496568   1% /dev/shm
tmpfs                  496708   19332   477376   4% /run
tmpfs                  496708       0   496708   0% /sys/fs/cgroup
/dev/sr0              3654720 3654720         0 100% /run/media/root/RHEL-7.0Server.x86_64
172.25.4.11:/public 104739843188864   7285120 31% /mnt
[[email protected] ~]# su - student
Last login: Sat Jun 3 23:22:22 EDT 2017on pts/1
[[email protected] ~]$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found
[[email protected] ~]$ cd /mnt
-bash: cd: /mnt: Permission denied
[[email protected] ~]$ ls
[[email protected] ~]# su - ldapuser1
Last login: Sat Jun 3 23:22:40 EDT 2017on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file ordirectory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ cd /mnt
-bash-4.2$ ls
westostest1 westostest2 westostest3