Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2932829
  • 博文数量: 241
  • 博客积分: 15936
  • 博客等级: 上将
  • 技术积分: 25158
  • 用 户 组: 普通用户
  • 注册时间: 2007-03-27 11:22
  • 认证徽章:
个人简介

Fedora-ARM

文章分类
文章存档

2016年(3)

2014年(1)

2013年(3)

2012年(50)

2011年(61)

2010年(26)

2009年(27)

2008年(21)

2007年(49)

分类: 系统运维

2016-06-29 18:58:37

 

服务器环境:三台服务器,分别是LDAP+Kerberos服务器、NFS Secure服务器、客户机。

本文档重点是如何配置以上这些服务,理论知识另需补脑。

硬件环境:VMware Workstation 上运行2KVMvmware作为LDAP服务器,2KVM分别作为NFS和客户机。主机名分别为kerberos.example.comserver0.example.comdesktop0.example.com

软件环境:三台机器的OS版本是RHEL7.0kerberos关闭slinuxfirewalldserver0desktop0上开启selinuxfirewalld

一、在kerberos机器上配置Kerberos服务

  1. 安装软件:

         yum install -y krb5-libs krb5-server krb5-workstation pam_krb5

  2. 修改配置文件/var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

        kdc_ports = 88

        kdc_tcp_ports = 88

 

         [realms]

        EXAMPLE.COM = {

        master_key_type = aes256-cts

        default_principal_flags = +preauth

        acl_file = /var/kerberos/krb5kdc/kadm5.acl

        dict_file = /usr/share/dict/words

        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

        supported_enctypes = aes256-cts:normal aes128-cts:normal  des3-hmac-sha1:normal                  arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal                                                des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

         }

 

        

        /var/kerberos/krb5kdc/kadm5.acl这个文件里的域要和上面文件[realms]中定义的要一致。

  3. kerberosserver0desktop0上修改Kerberos配置文件/etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 dns_lookup_realm = false

 ticket_lifetime = 12h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

 default_realm = EXAMPLE.COM

 default_ccache_name = KEYRING:persistent:%{uid}

 

[realms]

 EXAMPLE.COM = {

  kdc = kerberos.example.com

  admin_server = kerberos.example.com

 }

 

[domain_realm]

 .example.com = EXAMPLE.COM

 example.com = EXAMPLE.COM

  4. 创建 Kerberos 数据库。

         kdb5_util create -s -r EXAMPLE.COM

         提示输入密码为:kerberos

         注意EXAMPLE.COMkdc.conf定义的要一致。

         这个过程时间比较长。

  5. 启动服务

         systemctl status krb5kdc.service

         systemctl enable krb5kdc.service

         systemctl start kadmin.service

         systemctl enable kadmin.service

         firewall-cmd --permanent --add-service=kerberos

         firewall-cmd --reload

  6. 创建认证的唯一ID

         Kerberos认证的唯一IDprincipal,由primaryinstancerealm三部分组成,格式为 primary/instance@realm

         principal3种类型:userservicehost

 

         1)给root用户创建一个user类型的、带管理权限的principal,密码为root

kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password.

kadmin.local:  addprinc root/admin

WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy

Enter password for principal "root/admin@EXAMPLE.COM":

Re-enter password for principal "root/admin@EXAMPLE.COM":

Principal "root/admin@EXAMPLE.COM" created.

kadmin.local:  listprincs

K/M@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/kerberos.example.com@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

root/admin@EXAMPLE.COM

kadmin.local:  quit

        

         2)创建hostservice类型的principal

kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM:

kadmin:  addprinc -randkey host/server0.example.com

WARNING: no policy specified for host/server0.example.com@EXAMPLE.COM; defaulting to no policy

Principal "host/server0.example.com@EXAMPLE.COM" created.

kadmin:  addprinc -randkey host/desktop0.example.com

WARNING: no policy specified for host/desktop0.example.com@EXAMPLE.COM; defaulting to no policy

Principal "host/desktop0.example.com@EXAMPLE.COM" created.

kadmin:  addprinc -randkey nfs/server0.example.com

WARNING: no policy specified for nfs/server0.example.com@EXAMPLE.COM; defaulting to no policy

Principal "nfs/server0.example.com@EXAMPLE.COM" created.

kadmin:  addprinc tim

WARNING: no policy specified for tim@EXAMPLE.COM; defaulting to no policy

Enter password for principal "tim@EXAMPLE.COM":

Re-enter password for principal "tim@EXAMPLE.COM":

Principal "tim@EXAMPLE.COM" created.

kadmin:  q

         tim用户的kerberos认证密码,密码为:tim

         useradd -u 1001 tim

 

  7. keyKDC里导出来

         创建了principal之后,KDC知道所有principalkey,通常导出为.keytab密钥串文件。

         1)把desktop0key导出到秘钥串:

kadmin:  ktadd -k /root/nfs_client.keytab host/desktop0.example.com

kadmin:  q

         2)查看秘钥串

klist -k /root/nfs_client.keytab

Keytab name: FILE:/root/nfs_client.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

   2 host/desktop0.example.com@EXAMPLE.COM

 

         3)同样方法导出server0的秘钥

kadmin:  ktadd -k /root/nfs_server.keytab host/server0.example.com

kadmin:  ktadd -k /root/nfs_server.keytab nfs/server0.example.com

kadmin:  q

 

  8. 把秘钥串放到web上,提供给kerberos的客户端(server0desktop0

         cp nfs_client.keytab nfs_server.keytab /var/www/html/

 

二、在server0上配置nfs-server

  为了测试kerberos,配置两个nfs共享,分别是/public作为标准共享给example.com域,只读方式,另一个/protected作为安全共享,读写方式。访问 /protected 需要通过Kerberos安全加密,使用KDC服务器提供的密钥。目录 /protected 里面有子目录名为secret ,所有人为 tim,用户tim 能以读写方式访问/protected/secret目录。用户tim在三台服务器里存在。

 1. 安装软件,分别在server0desktop0

         首先把kerberos服务器上的serve0desktop0上:

         scp /etc/krb5.conf server0:/etc

         scp /etc/krb5.conf desktop0:/etc

         yum install krb5-workstation

         yum install nfs-utils

 2. 配置nfs

         mkdir -p /protected/secret

         mkdir /public

         cat /etc/exports

         /public 192.168.3.0/24(ro)

         /protected 192.168.3.0/24(rw,sec=krb5p,no_root_squash)

         注意:以上共享给客户端一定要写成ip地址的形式,写成域名(*.example.com)挂载不上   安全的nfs,报错信息:mount.nfs: Operation not permitted。没找到原因。

         编辑 /etc/sysconfig/nfs 配置文件,修改 RPCNFSDARGS 变量的值:

         RPCNFSDARGS="-V 4.2"

  3. 启动nfs

         1)启动标准NFS服务

         systemctl start nfs-server

         systemctl enable nfs-server

       2)下载秘钥串

         wget -O /etc/krb5.keytab http://kerberos.example.com/nfs_server.keytab

         3)启动NFS Secure服务

         systemctl start nfs-secure-server.service

         showmount -e

         Export list for server0.example.com:

         /protected 192.168.3.0/24

         /public    192.168.3.0/24

         4)设置防火墙

         firewall-cmd --permanent --add-service=nfs

         firewall-cmd --permanent --add-service=rpc-bind

         firewall-cmd --permanent --add-service=mountd

         firewall-cmd  --reload

         5)创建用户tim,与kerberos服务器上uid一致

         useradd -u 1001 tim

         chown tim.tim /protected/secret

三、客户机desktop0上配置

  1. 创建挂载点

         mkdir /mnt/nfsmount

         mkdir /mnt/nfssecure

         showmout -e 192.168.3.31

  2. 普通挂载

         1)标准挂载

         mount 192.168.3.31:/public /mnt/nfsmount/

         这个是可以挂载的。

         2)安装NFS挂载

         mount -o sec=krb5p,v4.2 192.168.3.31:/protected /mnt/nfssecure/

         mount.nfs: an incorrect mount option was specified

         这个时候挂载不上,需要下载秘钥串。

         wget -O /etc/krb5.keytab http://kerberos.example.com/nfs_client.keytab

         查看秘钥串:klist -k /etc/krb5.keytab

         3)启动nfs-secure

         systemctl restart nfs-secure

         再挂载mount -o sec=krb5p,v4.2 192.168.3.31:/protected /mnt/nfssecure就可以了。

         [root@desktop0 ~]# su - tim

         [tim@desktop0 ~]$ df

         df: ‘/mnt/nfssecure’: Permission denied

         用户tim需要通过kinit获取Kerberos票据才能看到/mnt/nfssecure/这个目录的内容。

         [tim@desktop0 ~]$ kinit

         Password for tim@EXAMPLE.COM:

         执行df命令查看已经显示了/mnt/nfssecure/这个挂载点

         如果文件权限显示的是4294967294,需要在服务器端和客户端启动rpcidmapd服务:

         systemctl start rpcidmapd

         systemctl enable nfs-idmap.service

         用户tim/mnt/nfssecure/secret可以创建文件,文件所有者为tim

         klist查看票据。

         以上环境每个主机的/etc/hosts/etc/krb5.conf文件一致。

 

四、在kerberos服务器上安装LDAP

  环境说明:所有主机对应的FQDN域为abc.comkerberos域(realm)为ABC.COM

  kerberos+ldap服务器:kerberos.abc.com

  nfs服务器:station1.abc.com

  clientstation2.abc.com

  涉及到的文件内容分别如下:

         kdc.conf

cat /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

 kdc_ports = 88

 kdc_tcp_ports = 88

 

[realms]

 ABC.COM = {

  master_key_type = aes256-cts

  default_principal_flags = +preauth

  acl_file = /var/kerberos/krb5kdc/kadm5.acl

  dict_file = /usr/share/dict/words

  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

 }

 

         kadm5.acl

cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@ABC.COM   *

 

         krb5.conf

cat /etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 dns_lookup_realm = false

 ticket_lifetime = 12h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

 default_realm = ABC.COM

 default_ccache_name = KEYRING:persistent:%{uid}

 

[realms]

 ABC.COM = {

  kdc = kerberos.abc.com

  admin_server = kerberos.abc.com

 }

 

[domain_realm]

 .abc.com = ABC.COM

 abc.com = ABC.COM

 

         hosts

cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.3.176 kerberos.abc.com

192.168.3.156 station1.abc.com

192.168.3.166 station2.abc.com

 

  1. 安装软件

         yum install openldap-servers openldap-clients

  2. 修改配置文件模板

         cp /usr/share/openldap-servers/slapd.ldif .

         1)证书文件位置

         olcTLSCACertificatePath: /etc/openldap/certs           //服务器证书存放的位置

         olcTLSCertificateFile: /etc/openldap/certs/ldap.crt                 //服务器证书文件

         olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key    //服务器私钥文件

         2)添加schema

         include: file:///etc/openldap/schema/corba.ldif

         include: file:///etc/openldap/schema/core.ldif

         include: file:///etc/openldap/schema/cosine.ldif

         include: file:///etc/openldap/schema/duaconf.ldif

         include: file:///etc/openldap/schema/dyngroup.ldif

         include: file:///etc/openldap/schema/inetorgperson.ldif

         include: file:///etc/openldap/schema/java.ldif

         include: file:///etc/openldap/schema/misc.ldif

         include: file:///etc/openldap/schema/nis.ldif

         include: file:///etc/openldap/schema/openldap.ldif

         include: file:///etc/openldap/schema/ppolicy.ldif

         include: file:///etc/openldap/schema/collective.ldif

         3)数据类型为bdb格式

         dn: olcDatabase=bdb,cn=config

         objectClass: olcDatabaseConfig

         objectClass: olcBdbConfig

         olcDatabase: bdb

         4)设置RootDNRootPW

         olcSuffix: dc=abc,dc=com

         olcRootDN: cn=Manager,dc=abc,dc=com

         olcRootPW: 123

  3. 生成配置文件

         rm -rfv /etc/openldap/slapd.d/*

         slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif

      测试配置文件是否正确:

      slaptest -u -F /etc/openldap/slapd.d

  4. 启动slapd服务

      chown ldap.ldap slapd.d/* -R

      cp /usr/share/openldap-servers/DB_CONFIG.example

           /var/lib/ldap/DB_CONFIG

      chown ldap.ldap /var/lib/ldap/DB_CONFIG

      systemctl start slapd

      systemctl enable slapd

  5. 迁移用户信息到ldap

      yum install migrationtools

      1)生成基准DN的ldif文件

      cd /usr/share/migrationtools/

      修改vim migrate_common.ph,改成abc.com域

        71 $DEFAULT_MAIL_DOMAIN = "abc.com";

       74 $DEFAULT_BASE = "dc=abc,dc=com";

      然后生成ldif文件

      ./migrate_base.pl > /root/abc.ldif

      保留文件/root/abc.ldif文件如下内容

dn: dc=abc,dc=com

dc: abc

objectClass: top

objectClass: domain

 

dn: ou=People,dc=abc,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit

 

dn: ou=Group,dc=abc,dc=com

ou: Group

objectClass: top

objectClass: organizationalUnit

         2)创建用户

         mkdir /rhome

         useradd -d /rhome/ldap1 ldap1

         useradd -d /rhome/ldap2 ldap2

         echo 123 | passwd --stdin ldap1

         echo 123 | passwd --stdin ldap2

         tail -2 /etc/passwd > /root/users.txt

         tail -2 /etc/group > /root/groups.txt

         ./migrate_passwd.pl /root/users.txt > /root/users.ldif

         ./migrate_group.pl /root/groups.txt > /root/groups.ldif

         最终有了abc.ldifusers.ldifgroup.ldif三个ldif格式的文件,我们要把它们导入到ldap  数据库里。

         3)创建DN

         导入abc.ldif

         systemctl stop slapd

         slapadd -vl abc.ldif

         4)安装ldap管理工具

         安装ldap管理工具:phpldapadmin

         tar zxf phpldapadmin-1.2.0.4.tgz -C /var/www/html/

         cd /var/www/html/

         mv phpldapadmin-1.2.0.4/ ldap

         yum install php

         yum install php-ldap

         systemctl restart httpd

         cd ldap/config

         cp config.php.example config.php

         chown ldap.ldap /var/lib/ldap/ -R

         systemctl restart slapd

         http://kerberos.abc.com/ldap

         5)导入用户users.ldif和组gruops.ldif

         通过页面或者ldapadd -D "cn=Manager,dc=abc,dc=com" -W -x -f groups.ldif来导入。

  6. TLS加密

         1)创建CA,在kerberos主机上执行

         vim /etc/pki/tls/openssl.cnf

         172 basicConstraints=CA:TRUE    //改成TRUE

         [root@kerberos CA]# pwd

         /etc/pki/CA

         /etc/pki/tls/misc/CA -h

         usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

         执行如下脚本 :

         [root@kerberos CA]# /etc/pki/tls/misc/CA -newca

         生成自己的证书,生成自己的私钥。

         生成如下两个文件:

         /etc/CA/cacert.pem 证书

         /etc/CA/private/cakey.pem 私钥

         2)创建服务器(ldap服务器)证书

         产生一对密钥,并找CA做数字签名,生成证书

         生成服务器的RSA私钥:

         openssl genrsa -out ldap.key 1024

         导出公钥,做成证书请求文件(csr)CA做签名:

         openssl req -new -key ldap.key -out ldap.csr

         把证书请求文件拷给CA,去做数字签名:

         CA上执行:

         openssl ca -in ldap.csr -out ldap.crt

         ldap.crtldap.key放到ldap服务器的正确位置:

         cp ldap.crt ldap.key /etc/openldap/certs/

         chown -R ldap.ldap /etc/openldap/certs/

         chmod 700 /etc/openldap/certs/

 

五、LDAP客户端配置(在station1station2上)

  1. 安装软件

         yum install openldap-clients

         yum install sssd-ldap nss-pam-ldapd

  2. 不使用TLS,使用ldap密码

         authconfig-tui

         User Information        Authentication

         [ ] Cache Information     [ ] Use MD5 Passwords  

         [*] Use LDAP            [*] Use Shadow Passwords

         [ ] Use NIS              [*] Use LDAP Authentication 

         [ ] Use IPAv2            [ ] Use Kerberos 

         [ ] Use Winbind          [ ] Use Fingerprint reader

                                [ ] Use Winbind Authentication

                                [*] Local authorization is sufficient

 

                 [ ] Use TLS

         Server: ldap://kerberos.abc.com

         Base DN: dc=abc,dc=com

  3. ssh station1.abc.com

         ldap1/123

  4. 不使用TLS,使用kerberos密码

         1)把ldap1添加到kerberos数据库

         addprinc ldap1  //密码为ldap1

         addprinc ldap2  //密码为ldap2

  5. authconfig-tui

         User Information        Authentication

         [ ] Cache Information     [ ] Use MD5 Passwords  

         [*] Use LDAP            [*] Use Shadow Passwords

         [ ] Use NIS              [ ] Use LDAP Authentication 

         [ ] Use IPAv2            [*] Use Kerberos 

         [ ] Use Winbind          [ ] Use Fingerprint reader

                                [ ] Use Winbind Authentication

                                [*] Local authorization is sufficient

 

                   Kerberos Settings

         Realm: ABC.COM

         KDC: kerberos.abc.com

         Admin Server: kerberos.abc.com

         [ ] Use DNS to resolve hosts to realms

         [ ] Use DNS to locate KDCs for realms

         ssh station1.abc.com

         ldap1/ldap1

         注:需要启动nslcd服务:systemctl restart nslcd/etc/pam.d/password-auth里有     pam_ldap.so模块,如果是kerberos密码认证,会有pam_krb5.so模块

  6)使用TLS加密,在ldap服务端操作:

         生成自签名的证书:

         生成服务器的RSA私钥:

         openssl genrsa -out ldap.key 1024

      生成签名请求:

      openssl req -new -key ldap.key -out ldap.csr

      生成自签名的证书:

         openssl x509 -req -days 3653 -in ldap.csr -signkey ldap.key -out ldap.crt

         把 ldap.key 和 ldap.crt 复制到 /etc/openldap/certs 目录。

  7)使用TLS加密,ldap客户端配置

         nslcd服务停掉,卸载相应软件。

         yum install sssd

         由于使用了自签名证书,所以客户端并没有下载CA证书,所以

      编辑 /etc/openldap/ldap.conf 文件,在TLS_CACERTDIR那一行上方添加一行:

      TLS_REQCERT allow

grep -v '^#' /etc/openldap/ldap.conf |uniq

 

TLS_REQCERT allow

TLS_CACERTDIR /etc/openldap/cacerts

 

SASL_NOCANON      on

URI ldap://kerberos.abc.com

BASE dc=abc,dc=com

         然后执行LDAP查询命令:
      ldapsearch -x -b "dc=abc,dc=com" "objectclass=*" -ZZ

         就可以显示LDAP的数据,注意最后的 -ZZ 是强制使用TLS加密。

         编辑 /etc/sssd/sssd.conf 文件,在ldap_uri那一行下方添加一行:
      ldap_tls_reqcert = allow
      重启sssd服务:
      systemctl restart sssd

cat /etc/sssd/sssd.conf

[domain/default]

 

autofs_provider = ldap

cache_credentials = True

ldap_search_base = dc=abc,dc=com

krb5_server = kerberos.abc.com

id_provider = ldap

auth_provider = krb5

chpass_provider = krb5

ldap_uri = ldap://kerberos.abc.com

ldap_tls_reqcert = allow

krb5_realm = ABC.COM

ldap_id_use_start_tls = True

ldap_tls_cacertdir = /etc/openldap/cacerts

krb5_store_password_if_offline = True

krb5_kpasswd = kerberos.abc.com

[sssd]

services = nss, pam, autofs

config_file_version = 2

 

domains = default

[nss]

 

[pam]

 

[sudo]

 

[autofs]

 

[ssh]

 

[pac]

         选择了TLS后/etc/pam.d/password-auth里有pam_sss.so模块

      在ldap客户端测试:

id ldap1

uid=1001(ldap1) gid=1001(ldap1) groups=1001(ldap1)

     使用ssh登录测试。

      注意:ldap客户端只需安装sssd:yum install sssd

      使用authconfig-tui配置完,自动会产生/etc/sssd/sssd.conf文件。

      使用authconfig-tui配置时,ldap的server一定要写主机名。

  8)使用CA签名的证书

      把ca的证书拷贝到ldap客户端的/etc/openldap/cacerts目录下

      [root@kerberos CA]# scp cacert.pem station2.abc.com:          /etc/openldap/cacerts

      [root@station2 ~]# cacertdir_rehash /etc/openldap/cacerts/

      并且去掉第7)步骤的两个allow。


六、配置autofs

  LDAP用户的HOME目录,是通过autofs从服务器端的NFS服务挂载到本地的。如果      没有挂载,则LDAP用户就没有HOME目录。

     [root@station2 auto.master.d]# yum install autofs

      [root@station2 auto.master.d]# grep rhome /etc/auto.master

      /rhome /etc/auto.misc

      [root@station2 auto.master.d]# grep kerberos /etc/auto.misc

      *    -fstab=nfs  kerberos.abc.com:/rhome/&

      [root@station2 auto.master.d]# systemctl start autofs

      [root@station2 auto.master.d]# systemctl enable autofs

[root@station2 ~]# tail -2 /etc/fstab

station1.abc.com:/public         /mnt/nfsmount        nfs             defaults           0 0

station1.abc.com:/protected /mnt/nfssecure        nfs             defaults,sec=krb5p,v4.2 0 0

      mount -a

[root@station2 ~]# df

Filesystem                    1K-blocks    Used Available Use% Mounted on

/dev/vda3                       8913920 1011600   7902320  12% /

devtmpfs                         503384       0    503384   0% /dev

tmpfs                            508996       0    508996   0% /dev/shm

tmpfs                            508996    6696    502300   2% /run

tmpfs                            508996       0    508996   0% /sys/fs/cgroup

/dev/vda1                        508588   91600    416988  19% /boot

kerberos.abc.com:/rhome/ldap2  30210048 5526016  24684032  19% /rhome/ldap2

station1.abc.com:/public        8913920  982272   7931648  12% /mnt/nfsmount

station1.abc.com:/protected     8913920  982272   7931648  12% /mnt/nfssecure


      使用ldap1登录station2.abc.com进行测试:

[c:\~]$ ssh 192.168.3.166

 

 

Connecting to 192.168.3.166:22...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

 

WARNING! The remote SSH server rejected X11 forwarding request.

Last login: Sun Sep  6 17:26:01 2015 from 192.168.3.93

[ldap1@station2 ~]$ df

Filesystem                    1K-blocks    Used Available Use% Mounted on

/dev/vda3                       8913920 1011660   7902260  12% /

devtmpfs                         503384       0    503384   0% /dev

tmpfs                            508996       0    508996   0% /dev/shm

tmpfs                            508996    6728    502268   2% /run

tmpfs                            508996       0    508996   0% /sys/fs/cgroup

/dev/vda1                        508588   91600    416988  19% /boot

kerberos.abc.com:/rhome/ldap2  30210048 5526016  24684032  19% /rhome/ldap2

station1.abc.com:/public        8913920  982144   7931776  12% /mnt/nfsmount

station1.abc.com:/protected     8913920  982144   7931776  12% /mnt/nfssecure

      写文件测试:

[ldap1@station2 ~]$ cd /mnt/nfssecure/

[ldap1@station2 nfssecure]$ cd abc

[ldap1@station2 abc]$ touch abc

[ldap1@station2 abc]$ cp /etc/passwd .

[ldap1@station2 abc]$ ll

total 4

-rw-rw-r-- 1 ldap1 ldap1    0 Sep  6 17:37 abc

-rw-r--r-- 1 ldap1 ldap1 1156 Sep  6  2015 passwd

      文件权限是ldap1用户的。

      文件/etc/nsswitch.conf内容:

 33 passwd:     files sss

 34 shadow:     files sss

 35 group:      files sss

      文件/etc/sysconfig/authconfig内容:

cat /etc/sysconfig/authconfig

IPADOMAINJOINED=no

USEMKHOMEDIR=no

USEPAMACCESS=no

CACHECREDENTIALS=yes

USESSSDAUTH=no

USESHADOW=yes

USEWINBIND=no

PASSWDALGORITHM=sha512

FORCELEGACY=no

USEFPRINTD=no

USEHESIOD=no

FORCESMARTCARD=no

USEDB=no

USELDAPAUTH=no

IPAV2NONTP=no

WINBINDKRB5=no

USELOCAUTHORIZE=yes

USEECRYPTFS=no

USEIPAV2=no

USEWINBINDAUTH=no

USESMARTCARD=no

USELDAP=yes

USENIS=no

USEKERBEROS=yes

USESYSNETAUTH=no

USESSSD=yes

USEPWQUALITY=yes

USEPASSWDQC=no


      至此,所有配置已完成。


阅读(25957) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~
评论热议
请登录后评论。

登录 注册