Lab Environment: Modify the default zone of two virtual machine firewalls to trusted
[Email protected] ~]# Firewall-cmd--set-default-zone=trusted
[Email protected] ~]# Firewall-cmd--set-default-zone=trusted
1. NFS Shared Services (Linux and Linux)
1.1 General Service for NFS
? Network File system
– Purpose: Provide shared folders for clients
– Protocol: NFS (TCP/UDP 2049), RPC (TCP/UDP 111)
? Required Packages: Nfs-utils
? System Services: Nfs-server
? List which NFS shared resources are available
– showmount-e server address
? Manually mount NFS shares
–mount Server Address: Folder path mount point
? Boot Mount configuration/etc/fstab
– Server Address: Folder path mount point NFS _netdev 0 0
Service side: Server0
1. Install the server-side package,nfs-utils
2. Modify /etc/exports
Folder path client address (permissions)
[Email protected] ~]# mkdir/public #创建一个共享文件
[Email protected] ~]# echo 123 >/public/123.txt
[Email protected] ~]# Vim/etc/exports
/public 172.25.0.0/24 (RO) #只读
3. Restart Service
[Email protected] ~]# systemctl restart Nfs-server
[Email protected] ~]# Systemctl enable Nfs-server
Client: Desktop0 (VIM command mode, press O to enter insert mode on another line)
[Email protected] ~]# showmount-e 172.25.0.11 #查看共享
[Email protected] ~]# mkdir/mnt/nfs01 #创建挂载点
[Email protected] ~]# Vim/etc/fstab
172.25.0.11:/public/mnt/nfs01 NFS _netdev 0 0
[Email protected] ~]# mount-a
[Email protected] ~]# df-h
1.2 Secure NFS Service (Restore all classroom, server, desktop environments)
1. Restore all classroom, server, desktop
2. Modify two virtual machine servers, desktop firewall default zone is trusted
[Email protected] ~]# Firewall-cmd--set-default-zone=trusted
[Email protected] ~]# Firewall-cmd--set-default-zone=trusted
3. Achieve User Unity
– Combining LDAP + Kerberos technology for authentication and encryption support
– Authentication password in the same Kerberos domain
[[email protected] ~]# Lab nfskrb5 Setup #加入 Ldap+kerberos (pre-made command)
[Email protected] ~]# Lab nfskrb5 Setup #加入 Ldap+kerberos
4. Verify that:
[[email protected] ~]# ID ldapuser10
[[email protected] ~]# ID ldapuser10
Service-Side Server
1. Deploying cryptographic keys that are encrypted with Kerberos communication (pre-done)
wget Http://classroom/pub/keytabs/server0.keytab-O/etc/krb5.keytab
2. Configuring NFS Read-write sharing
[Email protected] ~]# MKDIR/NSD
[Email protected] ~]# Touch/nsd/123.txt
[Email protected] ~]# Vim/etc/exports
/NSD 172.25.0.0/24 (rw,sec=krb5p) #加密的方式为krb5p
3. Service Nfs-server and Nfs-secure-server must be re-established at the same time
# systemctl Restart Nfs-server nfs-secure-server
4. In order to do the problem, let Ldapuser0 have write permission, give him local write permission
setfacl-m U:LDAPUSER0:RWX/NSD
Chown ldapuser0/protected/project/
[Email protected] ~]# chown ldapuser0/protected/project/
Client Desktop:
1. Deploying cryptographic keys that are encrypted with Kerberos communication
wget Http://classroom/pub/keytabs/desktop0.keytab-O/etc/krb5.keytab
2. Modify the/etc/fstab boot auto-mount configuration file
[Email protected] ~]# mkdir/mnt/test
[Email protected] ~]# Vim/etc/fstab
172.25.0.11:/nsd/mnt/test NFS _netdev,sec=krb5p 0 0 #注意服务端共享路径的格式, and Samba differences
Restart client-side NFS encryption service
[Email protected] ~]# systemctl restart Nfs-secure
[Email protected] ~]# mount-a
[Email protected] ~]# df-h
3. Verify that the Ldapuser0 has write permissions:
[[email protected] ~]# ssh [email protected]
[email protected] ' s password: password for Kerberos
[Email protected] test]$ cd/mnt/test
[email protected] test]$ Touch ldapuser0.txt
Linux Engineer Learning------NFS