next up previous contents
Next: NFS Client 端掛載設定 Up: Network File System, NFS Previous: NFS 伺服器防火牆設定   Contents

*NFS Client 端 KDC 設定

  1. 本節非課程範圍,但練習系統必須存在 kerberos keytab 才能練習,Cilent 端必須先產生 NFS kerberos 認證的 keytab,本節為產生過程演練,學生也可自行依例產生,實際測驗時只需依照指定網址下載 keytab 存成 /etc/krb5.keytab 即可。
  2. 安裝套件 krb5-workstation pam_krb5
    [root@kvm7 ~]# yum install -y krb5-workstation pam_krb5
    
  3. 在 /etc/krb5.conf file 取消所有註解,取代 EXAMPLE.COM 為 DEYU.WANG,example.com 為 deyu.wang,kerberos.example.com 為 KDC server (此例為 kvm5.deyu.wang)。
    [root@kvm7 ~]# vim /etc/krb5.conf 
    [root@kvm7 ~]# sed -i 's/EXAMPLE.COM/DEYU.WANG/g' /etc/krb5.conf
    [root@kvm7 ~]# sed -i 's/#//g' /etc/krb5.conf
    [root@kvm7 ~]# sed -i 's/example.com/deyu.wang/g' /etc/krb5.conf
    [root@kvm7 ~]# sed -i 's/kerberos\(.deyu.wang\)/kvm5\1/g' /etc/krb5.conf
    [root@kvm7 ~]# cat /etc/krb5.conf 
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     dns_lookup_realm = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
     default_realm = DEYU.WANG
     default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
     DEYU.WANG = {
      kdc = kvm5.deyu.wang
      admin_server = kvm5.deyu.wang
     }
    
    [domain_realm]
     .deyu.wang = DEYU.WANG
     deyu.wang = DEYU.WANG
    
  4. 執行 kadmin 連線到 kdc server。
    [root@kvm7 ~]# kadmin -p root/admin@DEYU.WANG
    Authenticating as principal root/admin@DEYU.WANG with password.
    Password for root/admin@DEYU.WANG: 
    kadmin:
    
  5. 產生 NFS principal。
    kadmin:  addprinc -randkey nfs/kvm7.deyu.wang
    WARNING: no policy specified for nfs/kvm7.deyu.wang@DEYU.WANG; defaulting to no policy
    Principal "nfs/kvm7.deyu.wang@DEYU.WANG" created.
    
  6. 產生 nfs/kvm7.deyu.wang princiapl 副本到預設檔案 /etc/krb5.keytab。如果題目指明使用已建好的 krb5.keytab,只要將其下載並存成 /etc/krb5.keytab 即可。
    kadmin:  ktadd nfs/kvm7.deyu.wang
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type aes256-cts-hmac-sha1-96 added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type aes128-cts-hmac-sha1-96 added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type des3-cbc-sha1 added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type arcfour-hmac added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type camellia256-cts-cmac added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type camellia128-cts-cmac added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type des-hmac-sha1 added to keytab \
    FILE:/etc/krb5.keytab.
    Entry for principal nfs/kvm7.deyu.wang with kvno 2, \
    encryption type des-cbc-md5 added to keytab \
    FILE:/etc/krb5.keytab.
    
  7. 退出 kerberos 管理工具。
    kadmin:  quit
    
  8. 查看 /etc/krb5.keytab 已產生。
    [root@kvm7 ~]# ll /etc/krb5.keytab 
    -rw-------. 1 root root 562 Sep  4 13:09 /etc/krb5.keytab
    



De-Yu Wang 2018-09-07