Linux Engineer Learning------NFS

Lab Environment: Modify the default zone of two virtual machine firewalls to trusted

[Email protected] ~]# Firewall-cmd--set-default-zone=trusted

[Email protected] ~]# Firewall-cmd--set-default-zone=trusted

1. NFS Shared Services (Linux and Linux)

1.1 General Service for NFS

? Network File system

– Purpose: Provide shared folders for clients

– Protocol: NFS (TCP/UDP 2049), RPC (TCP/UDP 111)

? Required Packages: Nfs-utils

? System Services: Nfs-server

? List which NFS shared resources are available

– showmount-e server address

? Manually mount NFS shares

–mount Server Address: Folder path mount point

? Boot Mount configuration/etc/fstab

– Server Address: Folder path mount point NFS _netdev 0 0

Service side: Server0

1. Install the server-side package,nfs-utils

2. Modify /etc/exports

Folder path client address (permissions)

[Email protected] ~]# mkdir/public #创建一个共享文件

[Email protected] ~]# echo 123 >/public/123.txt

[Email protected] ~]# Vim/etc/exports

/public 172.25.0.0/24 (RO) #只读

3. Restart Service

[Email protected] ~]# systemctl restart Nfs-server

[Email protected] ~]# Systemctl enable Nfs-server

Client: Desktop0 (VIM command mode, press O to enter insert mode on another line)

[Email protected] ~]# showmount-e 172.25.0.11 #查看共享

[Email protected] ~]# mkdir/mnt/nfs01 #创建挂载点

[Email protected] ~]# Vim/etc/fstab

172.25.0.11:/public/mnt/nfs01 NFS _netdev 0 0

[Email protected] ~]# mount-a

[Email protected] ~]# df-h

1.2 Secure NFS Service (Restore all classroom, server, desktop environments)

1. Restore all classroom, server, desktop

2. Modify two virtual machine servers, desktop firewall default zone is trusted

[Email protected] ~]# Firewall-cmd--set-default-zone=trusted

[Email protected] ~]# Firewall-cmd--set-default-zone=trusted

3. Achieve User Unity

– Combining LDAP + Kerberos technology for authentication and encryption support

– Authentication password in the same Kerberos domain

[[email protected] ~]# Lab nfskrb5 Setup #加入 Ldap+kerberos (pre-made command)

[Email protected] ~]# Lab nfskrb5 Setup #加入 Ldap+kerberos

4. Verify that:

[[email protected] ~]# ID ldapuser10

[[email protected] ~]# ID ldapuser10

Service-Side Server

1. Deploying cryptographic keys that are encrypted with Kerberos communication (pre-done)

wget Http://classroom/pub/keytabs/server0.keytab-O/etc/krb5.keytab

2. Configuring NFS Read-write sharing

[Email protected] ~]# MKDIR/NSD

[Email protected] ~]# Touch/nsd/123.txt

[Email protected] ~]# Vim/etc/exports

/NSD 172.25.0.0/24 (rw,sec=krb5p) #加密的方式为krb5p

3. Service Nfs-server and Nfs-secure-server must be re-established at the same time

# systemctl Restart Nfs-server nfs-secure-server

4. In order to do the problem, let Ldapuser0 have write permission, give him local write permission

setfacl-m U:LDAPUSER0:RWX/NSD  

Chown ldapuser0/protected/project/

[Email protected] ~]# chown ldapuser0/protected/project/

Client Desktop:

1. Deploying cryptographic keys that are encrypted with Kerberos communication

wget Http://classroom/pub/keytabs/desktop0.keytab-O/etc/krb5.keytab

2. Modify the/etc/fstab boot auto-mount configuration file

[Email protected] ~]# mkdir/mnt/test

[Email protected] ~]# Vim/etc/fstab

172.25.0.11:/nsd/mnt/test NFS _netdev,sec=krb5p 0 0 #注意服务端共享路径的格式, and Samba differences

Restart client-side NFS encryption service

[Email protected] ~]# systemctl restart Nfs-secure

[Email protected] ~]# mount-a

[Email protected] ~]# df-h

3. Verify that the Ldapuser0 has write permissions:

[[email protected] ~]# ssh [email protected]

[email protected] ' s password: password for Kerberos

[Email protected] test]$ cd/mnt/test

[email protected] test]$ Touch ldapuser0.txt

Linux Engineer Learning------NFS