一、服务器配置192.168.1.10
服务器环境
cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
- 192.168.1.10. sever nfs
- 192.168.1.11 nfsclient
- 服务器chronyd同步时间
步骤一: 安装需要的软件包
yum -y install nfs-utils krb5-server krb5-workstation
步骤二: 由于 Kerberos 只支持域名验证,所以必须将服务器和客户端的 IP 绑定到对应的域名上。在文件末尾添加以下内容
cat >>/etc/hosts<<EOF
192.168.1.10 server.flagnw.net
192.168.1.11 client.flagnw.net
EOF
步骤三: 修改 Kerberos 配置文件
cat >/etc/krb5.conf<<EOF
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = FLAGNW.NET
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FLAGNW.NET = {
kdc = server.flagnw.net
admin_server = server.flagnw.net
}
[domain_realm]
.flagnw.net = FLAGNW.NET
flagnw.net = FLAGNW.NET
EOF
步骤四: 配置 Kerberos 服务器管理访问控制参数
cat >/var/kerberos/krb5kdc/kadm5.acl<<EOF
*/admin@FLAGNW.NET *
EOF
步骤五: 配置 NFS 共享目录
1、nfs 共享目录
cat >/etc/exports<<EOF
/share *(rw,no_root_squash,no_all_squash,async,sec=krb5p)
EOF
2、修改nfs 默认支持协议
vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"
3、重启nfs
systemctl restart nfs
步骤六: 初始化 KDC 数据库
kdb5_util create -s
两次输入123
步骤七: 配置 KDC 数据库 & 取得秘钥
[root@localhost ~]# kadmin.local <==进入本地 admin 后台
kadmin.local: addprinc root/admin <==添加管理用户
kadmin.local: addprinc -randkey nfs/server.flagnw.net <==注册NFS服务器,并生成秘钥
kadmin.local: addprinc -randkey nfs/client.flagnw.net <==注册NFS客户端,并生成秘钥
kadmin.local: ktadd nfs/server.flagnw.net <==取NFS服务器秘钥
kadmin.local: listprincs <==列出注册服务
K/M@FLAGNW.NET
kadmin/192-168-1-10@FLAGNW.NET
kadmin/admin@FLAGNW.NET
kadmin/changepw@FLAGNW.NET
kiprop/192-168-1-10@FLAGNW.NET
krbtgt/FLAGNW.NET@FLAGNW.NET
nfs/client.flagnw.net@FLAGNW.NET
nfs/client.flagnw.nets@FLAGNW.NET
nfs/server.flagnw.net@FLAGNW.NET
root/admin@FLAGNW.NET
或者
kadmin.local: ktadd -k /tmp/server.keytab nfs/server.flagnw.net
[以下省略输出]
kadmin.local: ktadd -k /tmp/client.keytab nfs/client.flagnw.net
步骤七:重启服务
[root@localhost ~]# systemctl start krb5kdc kadmin nfs nfs-secure
[root@localhost ~]# systemctl status krb5kdc kadmin nfs nfs-secure
[root@localhost ~]# systemctl enable krb5kdc kadmin nfs nfs-secure
二 、客户端配置192.168.1.11
步骤一: 配置 hosts,这里跟上面的 “步骤二” 一样
cat >>/etc/hosts<<EOF
192.168.1.10 server.flagnw.net
192.168.1.11 client.flagnw.net
EOF
步骤二: 配置 Kerberos 配置文件,
cat >/etc/krb5.conf<<EOF
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = FLAGNW.NET
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
FLAGNW.NET = {
kdc = server.flagnw.net
admin_server = server.flagnw.net
}
[domain_realm]
.flagnw.net = FLAGNW.NET
flagnw.net = FLAGNW.NET
EOF
步骤三: 从 KDC 上去取得秘钥
[root@localhost ~]# kadmin -p root/admin
Authenticating as principal root/admin@FLAGNW.NET with password.
Password for root/admin@FLAGNW.NET: 输入密码:123
kadmin:
kadmin: ktadd nfs/client.flagnw.net <==获取NFS客户端秘钥
密钥保存在/etc/krb5.keytab这个文件中,请确保它的安全
或者
拷贝192.168.1.10 /tmp/client.keytab 到192.168.1.11 /tmp/client.keytab
cp /tmp/client.keytab /etc/krb5.keytab
步骤四: 启动 NFS 加密服务,不要启动 NFS 服务器端程序,不然可能会挂载不上
[root@localhost ~]# systemctl start nfs-secure
[root@localhost ~]# systemctl status nfs-secure
步骤五:重新挂载/share
umount -f /share
mount -vvv -o sec=krb5p,vers=4.2 server.flagnw.net:/share /share
防火墙:88 udp/tcp 749 udp/tcp
原创文章,作者:,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/274621.html