linux安装nfsv4,【LINUX】怎样配置 NFSv4 with kerberos 自动认证

Configuring Kerberos service on the Server :

1.1 There are a number of files that have to be manually edited on the server :

Edit /etc/krb5.conf

The stock version of this file will have EXAMPLE.COM or example.com everywhere you want to put your own realm or domain name. The two sections in question are libdefaults and domain_realm. The other sections do not need to be changed. In libdefaults, enter your own Kerberos realm name. You may want to set the clock skew to a lower value (provided you are synchronizing time with ntp). The file will look like :

Raw

[root@server ~]# cat /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

EXAMPLE.COM = {

kdc = server.example.com:88

admin_server = server.example.com:749

default_domain = example.com

}

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

1.2 Edit /var/kerberos/krb5kdc/kdc.conf

In this file, only the realms section needs to be modified. It is important to change the key types as well. I can confirm that the setting below work perfectly in our environment. You may want to decide on appropriate values for the maximum life of each ticket, and for how long each ticket can be renewed. Reasonable values are 1 day and 1 week but your needs will vary. The values here are the absolute maximum that the KDC will issue. Each principal has its own maximum as well. File will look like :

Raw

[root@server ~]# cat /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

v4_mode = nopreauth

kdc_tcp_ports = 88

[realms]

EXAMPLE.COM = {

#master_key_type = des3-hmac-sha1

acl_file = /var/kerberos/krb5kdc/kadm5.acl

dict_file = /usr/share/dict/words

admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

}

1.3 Edit /var/kerberos/krb5kdc/kadm5.acl :

This file determines who can modify the Kerberos database. You need to change the realm. File will look like :

Raw

[root@server ~]# cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@EXAMPLE.COM *

1.4 Make sure /etc/gssapi_mech.conf looks like :

Raw

[root@server ~]# cat /etc/gssapi_mech.conf

# library initialization function

# ================================ ==========================

# The MIT K5 gssapi library, use special function for initialization.

libgssapi_krb5.so.2 mechglue_internal_krb5_init

#

1.5 Create the Kerberos database :

Execute the following command :

Raw

[root@server ~]# kdb5_util -r EXAMPLE.COM create -s

This will prompt you for a password. You will only have to enter this password when you initially configure a slave KDC, so choose something large and random and store it in a secure place. Really, you may only have to enter this once more, so make it secure.

1.6 Add the first Administrative User :

I do administration as root, so the first user I add is root/admin. The default realm is appended automatically, so the command to use is as follows :

Raw

[root@server ~]# kadmin.local -q "addprinc root/admin"

Enter a password when prompted. You will need this password every time you administer the database.

1.7 At this point it is necessary to enable and start the kerberos services :

Raw

[root@server ~]# chkconfig kadmin on

[root@server ~]# service kadmin start

[root@server ~]# chkconfig krb5kdc on

[root@server ~]# service krb5kdc start

To test if everything is working, execute "kadmin" or "kadmin.local". By default, the current user appended with ‘/admin’ is used as the principle.

Raw

[root@server ~]# kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM: //Please enter admin password

kadmin: listprincs

K/M@EXAMPLE.COM

host/server.example.com@EXAMPLE.COM

host/client.example.com@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/history@EXAMPLE.COM

kadmin/server.example.com@EXAMPLE.COM

kmaiti@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

nc@EXAMPLE.COM

nfs/server.example.com@EXAMPLE.COM

nfs/client.example.com@EXAMPLE.COM

root/admin@EXAMPLE.COM

kadmin:

The additional principles have been created by the tool. They are required so leave them be.

1.8 Create a Host Principal for the KDC :

Now you will want to create a nfs service principal for nfs server. You also need to add this principal to the local key table.

Raw

[root@server ~]# kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM:

kadmin: addprinc -randkey nfs/server.example.com //Execute this command. Don't forget to replace the hostname.

kadmin: ktadd nfs/server.example.com // Adding key to keytab file.

1.9 Creating Kerberos Principals for client :

Run kadmin on the server and create the following principals. Replace client.example.com with the fully qualified name of the client machine.

Raw

[root@server ~]# kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM:

kadmin: addprinc -randkey nfs/client.example.com

1.10 Generate key in the keytab file for the admin and this will be saved in /var/kerberos/krb5kdc/kadm5.keytab since this has been mentioned in /var/kerberos/krb5kdc/kdc.conf. Use following commands :

Raw

[root@server ~]# kadmin

Authenticating as principal root/admin@EXAMPLE.COM with password.

Password for root/admin@EXAMPLE.COM:

kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin //Execute these commands

kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw

1.11 Make it sure that ports 88 and 749 has opened at the firewall. Restart the firewall, kadmin and krb5kdc services.