RHCE 系列(七):在 Linux 客户端配置基于 Kerberos 身份验证的
在本系列的前一篇文章,我们回顾了如何在可能包括多种类型操作系统的网络上配置 Samba 共享。现在,如果你需要为一组类 Unix 客户端配置文件共享,很自然的你会想到网络文件系统,或简称 NFS。
RHCE 系列:第七部分 - 设置使用 Kerberos 进行身份验证的 NFS 服务器
在这篇文章中我们会介绍配置基于 Kerberos 身份验证的 NFS 共享的整个流程。假设你已经配置好了一个 NFS 服务器和一个客户端。如果还没有,可以参考 安装和配置 NFS 服务器 - 它列出了需要安装的依赖软件包并解释了在进行下一步之前如何在服务器上进行初始化配置。
另外,你可能还需要配置 SELinux 和 firewalld 以允许通过 NFS 进行文件共享。
下面的例子假设你的 NFS 共享目录在 box2 的 /nfs:
<span class="com">#</span><span class="pln"> semanage fcontext </span><span class="pun">-</span><span class="pln">a </span><span class="pun">-</span><span class="pln">t </span><span class="typ">public_content_rw_t</span><span class="str">"/nfs(/.*)?"</span>
<span class="com">#</span><span class="pln"> restorecon </span><span class="pun">-</span><span class="pln">R </span><span class="pun">/</span><span class="pln">nfs</span>
<span class="com">#</span><span class="pln"> setsebool </span><span class="pun">-</span><span class="pln">P nfs_export_all_rw on</span>
<span class="com">#</span><span class="pln"> setsebool </span><span class="pun">-</span><span class="pln">P nfs_export_all_ro on</span>
(其中 -P 标记指示重启持久有效)。
最后,别忘了:
创建 NFS 组并配置 NFS 共享目录
1、 新建一个名为 nfs 的组并给它添加用户 nfsnobody,然后更改 /nfs 目录的权限为 0770,组属主为 nfs。于是,nfsnobody(对应请求用户)在共享目录有写的权限,你就不需要在 /etc/exports 文件中使用 norootsquash(LCTT 译注:设为 root_squash 意味着在访问 NFS 服务器上的文件时,客户机上的 root 用户不会被当作 root 用户来对待)。
<span class="com">#</span><span class="kwd">groupadd</span><span class="pln"> nfs</span>
<span class="com">#</span><span class="kwd">usermod</span><span class="pun">-</span><span class="pln">a </span><span class="pun">-</span><span class="pln">G nfs nfsnobody</span>
<span class="com">#</span><span class="kwd">chmod</span><span class="lit">0770</span><span class="pun">/</span><span class="pln">nfs</span>
<span class="com">#</span><span class="kwd">chgrp</span><span class="pln"> nfs </span><span class="pun">/</span><span class="pln">nfs</span>
2、 像下面那样更改 export 文件(/etc/exports)只允许从 box1 使用 Kerberos 安全验证的访问(sec=krb5)。
注意:anongid 的值设置为之前新建的组 nfs 的 GID:
exports – 添加 NFS 共享
<span class="pun">/</span><span class="pln">nfs box1</span><span class="pun">(</span><span class="pln">rw</span><span class="pun">,</span><span class="pln">sec</span><span class="pun">=</span><span class="pln">krb5</span><span class="pun">,</span><span class="pln">anongid</span><span class="pun">=</span><span class="lit">1004</span><span class="pun">)</span>
3、 再次 exprot(-r)所有(-a)NFS 共享。为输出添加详情(-v)是个好主意,因为它提供了发生错误时解决问题的有用信息:
<span class="com">#</span><span class="pln"> exportfs </span><span class="pun">-</span><span class="pln">arv</span>
4、 重启并启用 NFS 服务器以及相关服务。注意你不需要启动 nfs-lock 和 nfs-idmapd,因为系统启动时其它服务会自动启动它们:
<span class="com">#</span><span class="kwd">systemctl</span><span class="pln"> restart rpcbind nfs</span><span class="pun">-</span><span class="pln">server nfs</span><span class="pun">-</span><span class="pln">lock nfs</span><span class="pun">-</span><span class="pln">idmap</span>
<span class="com">#</span><span class="kwd">systemctl</span><span class="pln"> enable rpcbind nfs</span><span class="pun">-</span><span class="pln">server</span>
测试环境和其它前提要求
在这篇指南中我们使用下面的测试环境:
- 客户端机器 [box1: 192.168.0.18]
- NFS / Kerberos 服务器 [box2: 192.168.0.20] (也称为密钥分发中心,简称 KDC)。
注意:Kerberos 服务是至关重要的认证方案。
正如你看到的,为了简便,NFS 服务器和 KDC 在同一台机器上,当然如果你有更多可用机器你也可以把它们安装在不同的机器上。两台机器都在 mydomain.com
域。
最后同样重要的是,Kerberos 要求客户端和服务器中至少有一个域名解析的基本方式和网络时间协议服务,因为 Kerberos 身份验证的安全一部分基于时间戳。
为了配置域名解析,我们在客户端和服务器中编辑 /etc/hosts 文件:
host 文件 – 为域添加 DNS
<span class="lit">192.168</span><span class="pun">.</span><span class="lit">0.18</span><span class="pln"> box1</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com box1</span>
<span class="lit">192.168</span><span class="pun">.</span><span class="lit">0.20</span><span class="pln"> box2</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com box2</span>
在 RHEL 7 中,chrony 是用于 NTP 同步的默认软件:
<span class="com">#</span><span class="kwd">yum</span><span class="pln"> install chrony</span>
<span class="com">#</span><span class="kwd">systemctl</span><span class="pln"> start chronyd</span>
<span class="com">#</span><span class="kwd">systemctl</span><span class="pln"> enable chronyd</span>
为了确保 chrony 确实在和时间服务器同步你系统的时间,你可能要输入下面的命令两到三次,确保时间偏差尽可能接近 0:
<span class="com">#</span><span class="pln"> chronyc tracking</span>
用 Chrony 同步服务器时间
安装和配置 Kerberos
要设置 KDC,首先在客户端和服务器安装下面的软件包(客户端不需要 server 软件包):
<span class="com">#</span><span class="kwd">yum</span><span class="pln"> update </span><span class="pun">&&</span><span class="kwd">yum</span><span class="pln"> install krb5</span><span class="pun">-</span><span class="pln">server krb5</span><span class="pun">-</span><span class="pln">workstation pam_krb5</span>
安装完成后,编辑配置文件(/etc/krb5.conf 和 /var/kerberos/krb5kdc/kadm5.acl),像下面那样用 mydomain.com
替换所有 example.com。
下一步,确保 Kerberos 能功过防火墙并启动/启用相关服务。
重要:客户端也必须启动和启用 nfs-secure:
<span class="com">#</span><span class="pln"> firewall</span><span class="pun">-</span><span class="pln">cmd </span><span class="pun">--</span><span class="pln">permanent </span><span class="pun">--</span><span class="pln">add</span><span class="pun">-</span><span class="pln">service</span><span class="pun">=</span><span class="pln">kerberos</span>
<span class="com">#</span><span class="kwd">systemctl</span><span class="pln"> start krb5kdc kadmin nfs</span><span class="pun">-</span><span class="pln">secure </span>
<span class="com">#</span><span class="kwd">systemctl</span><span class="pln"> enable krb5kdc kadmin nfs</span><span class="pun">-</span><span class="pln">secure </span>
现在创建 Kerberos 数据库(请注意这可能会需要一点时间,因为它会和你的系统进行多次交互)。为了加速这个过程,我打开了另一个终端并运行了 ping -f localhost
30 到 45 秒):
<span class="com">#</span><span class="pln"> kdb5_util create </span><span class="pun">-</span><span class="pln">s</span>
创建 Kerberos 数据库
下一步,使用 kadmin.local 工具为 root 创建管理权限:
<span class="com">#</span><span class="pln"> kadmin</span><span class="pun">.</span><span class="kwd">local</span>
<span class="com">#</span><span class="pln"> addprinc root</span><span class="pun">/</span><span class="pln">admin</span>
添加 Kerberos 服务器到数据库:
<span class="com">#</span><span class="pln"> addprinc </span><span class="pun">-</span><span class="pln">randkey host</span><span class="pun">/</span><span class="pln">box2</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com</span>
在客户端(box1)和���务器(box2)上对 NFS 服务同样操作。请注意下面的截图中在退出前我忘了在 box1 上进行操作:
<span class="com">#</span><span class="pln"> addprinc </span><span class="pun">-</span><span class="pln">randkey nfs</span><span class="pun">/</span><span class="pln">box2</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com</span>
<span class="com">#</span><span class="pln"> addprinc </span><span class="pun">-</span><span class="pln">randkey nfs</span><span class="pun">/</span><span class="pln">box1</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com</span>
输入 quit 和回车键退出:
添加 Kerberos 到 NFS 服务器
为 root/admin 获取和缓存票据授权票据(ticket-granting ticket):
<span class="com">#</span><span class="pln"> kinit root</span><span class="pun">/</span><span class="pln">admin</span>
<span class="com">#</span><span class="pln"> klist</span>
缓存 Kerberos
真正使用 Kerberos 之前的最后一步是保存被授权使用 Kerberos 身份验证的规则到一个密钥表文件(在服务器中):
<span class="com">#</span><span class="pln"> kdadmin</span><span class="pun">.</span><span class="kwd">local</span>
<span class="com">#</span><span class="pln"> ktadd host</span><span class="pun">/</span><span class="pln">box2</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com</span>
<span class="com">#</span><span class="pln"> ktadd nfs</span><span class="pun">/</span><span class="pln">box2</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com</span>
<span class="com">#</span><span class="pln"> ktadd nfs</span><span class="pun">/</span><span class="pln">box1</span><span class="pun">.</span><span class="pln">mydomain</span><span class="pun">.</span><span class="pln">com</span>
最后,挂载共享目录并进行一个写测试:
<span class="com">#</span><span class="kwd">mount</span><span class="pun">-</span><span class="pln">t nfs4 </span><span class="pun">-</span><span class="pln">o sec</span><span class="pun">=</span><span class="pln">krb5 box2</span><span class="pun">:</span><span class="str">/nfs /</span><span class="pln">mnt</span>
<span class="com">#</span><span class="kwd">echo</span><span class="str">"Hello from Tecmint.com"</span><span class="pun">></span><span class="str">/mnt/</span><span class="pln">greeting</span><span class="pun">.</span><span class="pln">txt</span>
挂载 NFS 共享
现在让我们卸载共享,在客户端中重命名密钥表文件(模拟它不存在)然后试着再次挂载共享目录:
<span class="com">#</span><span class="kwd">umount</span><span class="pun">/</span><span class="pln">mnt</span>
<span class="com">#</span><span class="kwd">mv</span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">krb5</span><span class="pun">.</span><span class="pln">keytab </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">krb5</span><span class="pun">.</span><span class="pln">keytab</span><span class="pun">.</span><span class="pln">orig</span>
挂载/卸载 Kerberos NFS 共享
现在你可以使用基于 Kerberos 身份验证的 NFS 共享了。
总结
在这篇文章中我们介绍了如何设置带 Kerberos 身份验证的 NFS。和我们在这篇指南中介绍的相比,该主题还有很多相关内容,可以在 Kerberos 手册 查看,另外至少可以说 Kerberos 有一点棘手,如果你在测试或实现中遇到了任何问题或需要帮助,别犹豫在下面的评论框中告诉我们吧。
via: http://www.tecmint.com/setting-up-nfs-server-with-kerberos-based-authentication/
作者:Gabriel Cánepa 译者:ictlyh 校对:wxy