linux之NFS
NFS
1.定义:
2. 配置:
2.1 启动服务
[[email protected] ~]# yum install nfs-utils 包括基本的NFS命令与监控程序[[email protected] ~]# systemctl enable nfs-server
[[email protected] ~]# systemctl start nfs-server
[[email protected] ~]# firewall-cmd --permanent --add-service=nfs
[[email protected] ~]# firewall-cmd --permanent --add-service=rpc-bind 支持安全NFS RPC服务的连接
[[email protected] ~]# firewall-cmd --permanent --add-service=mountd
测试:
[[email protected] kiosk]# showmount -e 172.25.254.121
Export list for 172.25.254.121:
2.2共享目录
[[email protected] ~]#mkdir /public
[[email protected] ~]# chmod 777 /public/
[[email protected] ~]# touch /public/file{12..15}
[[email protected] ~]# vim /etc/exports #man 5 exports NFS服务的主要配置文件
/public *(sync) #public目录共享给所有人并且数据同步
[[email protected] ~]# exportfs -rv #刷新,使文件生效
exporting *:/public
测试:
/public 172.25.254.21(sync,ro) 172.25.254.221(sync,rw) #public目录共享给21并且数据同步且只读,共享给221并数据同步且读写
/public *.example.com(sync) #public目录共享给example.com域内所有人并且数据同步
/public 172.25.254.0/24(sync,rw,no_root_squash) #public目录共享给172.25.254网段的所有人并当客户端使用root挂载不转换用户身份
测试:
/public 172.25.254.0/24(sync,rw,anonuid=1001,anongid=1000) #public目录共享给所有人并且以1001为uid,1000为gid
测试:
2.3利用kerberos保护nfs输出
###服务端短
开启kerberos认证,得到ldap用户
yum install sssd krb5-workstation authconfig-gtk -y
authconfig-gtk kerberos认证图形化管理界面
User Account Database LDAP
LDAP Search Base DN dc=example,dc=com
LDAP Server classroom.example.com
Certificate URL httpa://classroom.example.com/pub/example-ca.crt
Realm EXAMPLE.COM
KDCs classroom.example.com
Admin Server classroom.example.com
[[email protected] ~]# wget http://172.25.254.254/pub/keytabs/server21.keytab -O /etc/krb5.keytab
[[email protected] ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
[[email protected] ~]# systemctl start nfs-secure-server
[[email protected] ~]# systemctl status nfs-secure-server
[[email protected] ~]# vim /etc/exports
[[email protected] ~]# cat /etc/exports
/public *(rw,sec=krb5p)
[[email protected] ~]# exportfs -rv
###客户端
开启kerberos认证,得到ldap用户
[[email protected] mnt]# wget http://172.25.254.254/pub/keytabs/desktop21.keytab -O /etc/krb5.keytab
[[email protected] mnt]# ktutil 查看证书是否正确
ktutil: rkt /etc/krb5.keytab
ktutil: list
[[email protected] mnt]# systemctl start nfs-secure
[[email protected] mnt]# systemctl enable nfs-secure
测试:
[[email protected] student]# vim /etc/hosts
172.25.254.221 server21.example.com
[[email protected] ~]# mount 172.25.254.221:/public /mnt -o sec=krb5p
[[email protected] ~]# cd /mnt/
[[email protected] mnt]# ls
file1 file2 file3 file4 file5 file6
[[email protected] mnt]# su - student
Last login: Sat Jun 3 23:23:56 EDT 2017 on pts/1
[[email protected] ~]$ cd /mnt/
-bash: cd: /mnt/: Permission denied
[[email protected] ~]$ ls
[[email protected] ~]$ su - ldapuser1
Password:
su: Authentication failure
[[email protected] ~]$ su - ldapuser1
Password:
Last login: Sat Jun 3 23:24:14 EDT 2017 on pts/1
Last failed login: Sat Jun 3 23:48:07 EDT 2017 on pts/0
There was 1 failed login attempt since the last successful login.
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ cd /mnt/
-bash-4.2$ ls
file1 file2 file3 file4 file5 file6
-bash-4.2$