day3 RHCE

10、配置NFS服务

在server0配置NFS服务，要求如下：
　　以只读的形式共享目录/public同时只能被example.com域中的系统访问。
　　以读写的形式共享目录/protected同时只能被example.com域中的系统访问。
　　访问/protected需要通过Kerberos安全加密，您可以使用下面提供的密钥：
　　http://classroom.example.com/pub/keytabs/server0.keytab
　　目录/protected应该包含名为project拥有人为ldapuser0的子目录
　　用户ldapuser0能以读写形式访问/protected/project

server0
[root@server0 ~]# systemctl restart nfs-server.service 
[root@server0 ~]# systemctl enable nfs-server.service 

[root@server0 ~]# systemctl enable nfs-secure
[root@server0 ~]# systemctl restart nfs-secure
[root@server0 ~]# systemctl restart nfs-secure-server.service     (无法重启，无法tab补齐)重启nfs用于安全验证的服务
[root@server0 ~]# systemctl enable nfs-secure-server.service   



[root@server0 ~]# firewall-cmd --permanent --add-service=nfs
[root@server0 ~]# firewall-cmd --permanent --add-service=rpc-bind     重启开机启动rpc-bind
[root@server0 ~]# firewall-cmd --permanent --add-service=mountd
[root@server0 ~]# firewall-cmd --reload 

[root@server0 ~]# vim /etc/sysconfig/nfs           辅助配置文件   
13 RPCNFSDARGS="-V 4.2"　　　　　　　　　　　　　　声明一下nfs版本，

[root@server0 ~]# mkdir /public
[root@server0 ~]# mkdir /protected
[root@server0 ~]# chmod 777 /protected/    读写

[root@server0 ~]# vim /etc/exports                nfs的主要配置文件
/public *.example.com(ro)
/protected *.example.com(rw,sec=krb5p)             #认证方式sec=krb5p

[root@server0 ~]# exportfs -r     重新mount /etc/exports中分享出来的目录

[root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab
　　　　　　　　　　　　　　　　　　　　krb5.keytab   与/etc/exports 同一目录

[root@server0 ~]# id ldapuser0
[root@server0 ~]# mkdir -pv /protected/project
[root@server0 ~]# ll /protected/project/ -d   
[root@server0 ~]# chown ldapuser0:ldapuser0 /protected/project/    用户，组为ldapuser0


[root@server0 ~]# systemctl restart nfs-server.service 
[root@server0 ~]# systemctl restart nfs-secure
[root@server0 ~]# systemctl restart nfs-secure-server.service   （重启成功）

[root@server0 ~]# showmount -e 172.25.0.11

　　

nfs加密的方式，一共有三种方式krb5，krb5i，krb5p： 
krb5 基于Kerberos票据的认证；
krb5i 挂载时校验数据完整性；
krb5p通过kerberos认证，并且对数据进行加密        

　　

11、挂载一个NFS共享

在desktop0上挂载一个来自server0上的NFS共享，并符合下列要求：
　　/pulbic共享挂载到本地的/mnt/nfsmount。
　　/protected挂载到本地的/mnt/nfssecure,并使用安全的方式，密钥下载地址：
　　http://classroom.example.com/pub/keytabs/desktop0.keytab
　　用户ldapuser0能够在/mnt/nfssecure/project上创建文件。
　　这些文件系统在系统启动时自动挂载

[root@server0 ~]# showmount -e 172.25.0.11

[root@desktop0 ~]# mkdir /mnt/nfsmount
[root@desktop0 ~]# mkdir /mnt/nfssecure

[root@desktop0 ~]# mount server0.example.com:/public /mnt/nfsmount/
[root@desktop0 ~]# mount server0.example.com:/protected /mnt/nfssecure/

[root@desktop0 ~]# vim /etc/fstab 
server0.example.com:/public /mnt/nfsmount       nfs     defaults        0 0
server0.example.com:/protected /mnt/nfssecure   nfs     defaults,sec=krb5p,v4.2      0 0

[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab


[root@server0 ~]# systemctl restart nfs
[root@server0 ~]# systemctl enable nfs
[root@server0 ~]# systemctl enable nfs-server
[root@server0 ~]# systemctl restart nfs-server
[root@desktop0 ~]# systemctl enable nfs-secure       （nfs两个用于安全验证的服务）
[root@desktop0 ~]# systemctl restart nfs-secure        (tab无法补齐)
[root@desktop0 ~]# systemctl enable nfs-secure-server.service 
[root@desktop0 ~]# systemctl restart nfs-secure-server.service 

[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h

　　

测试
[root@desktop0 ~]# su - ldapuser0
[ldapuser0@desktop0 nfsmount]$ ll /mnt
[ldapuser0@desktop0 nfsmount]$ cd /mnt/nfssecure
-bash: cd: /mnt/nfssecure: Permission denied       ##提示被拒绝
[ldapuser0@desktop0 nfsmount]$ exit

kerbero登录
[root@desktop0 ~]# ssh ldapuser0@localhost
Are you sure you want to continue connecting (yes/no)? yes
ldapuser0@localhost's password:                    ##密码为kerberos

[ldapuser0@desktop0 nfssecure]$ cd /mnt/nfssecure/project/
[ldapuser0@desktop0 project]$ ll /mnt/nfssecure/project/ -d
[ldapuser0@desktop0 project]$ touch 3333
[ldapuser0@desktop0 project]$ exit
[ldapuser0@desktop0 project]$ exit        

　　

[root@server0 ~]# systemctl restart nfs
[root@server0 ~]# systemctl enable nfs
[root@server0 ~]# systemctl restart nfs-server.service 
[root@server0 ~]# systemctl enable nfs-server.service

[root@server0 ~]# firewall-cmd --permanent --add-service=nfs
[root@server0 ~]# firewall-cmd --permanent --add-service=rpc-bind
[root@server0 ~]# firewall-cmd --permanent --add-service=mountd
[root@server0 ~]# firewall-cmd --reload 

[root@server0 ~]# vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"

[root@server0 ~]# mkdir /public
[root@server0 ~]# mkdir /protected

[root@server0 ~]# chmod 777 /protected/
[root@server0 ~]# ll /protected/ -d
drwxrwxrwx. 2 root root 6 Oct 19 21:39 /protected/

[root@server0 ~]# vim /etc/exports
/public *(ro)
/protected *(rw)

/public *.example.com(ro)
/protected *.example.com(rw)

[root@server0 ~]# exportfs -r


[root@server0 ~]# systemctl restart nfs
[root@server0 ~]# systemctl restart nfs-server

[root@server0 ~]# showmount -e 172.25.0.11

　　

[root@desktop0 ~]# showmount -e 172.25.0.11

[root@desktop0 ~]# systemctl restart nfs
[root@desktop0 ~]# systemctl restart nfs-server
[root@desktop0 ~]# systemctl enable nfs
[root@desktop0 ~]# systemctl enable nfs-server.service 

[root@desktop0 ~]# mkdir -pv /mnt/nfssmount
[root@desktop0 ~]# mkdir -pv /mnt/nfssecure

[root@desktop0 ~]# mount 172.25.0.11:/public /mnt/nfsmount/
[root@desktop0 ~]# mount 172.25.0.11:/protected /mnt/nfssecure/

[root@desktop0 ~]# mount server0.example.com:/public /mnt/nfsmount/
[root@desktop0 ~]# mount server0.example.com:/protected /mnt/nfssecure/


[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h
172.25.0.11:/public   10G  3.1G  7.0G  31% /mnt/nfsmount

[root@desktop0 ~]# mount
172.25.0.11:/protected on /mnt/nfssecure
172.25.0.11:/public on /mnt/nfsmount 

[root@desktop0 mnt]# cd nfsmount/
[root@desktop0 nfsmount]# touch 3
touch: cannot touch ‘3’: Read-only file system

[root@desktop0 ~]# cd /mnt/nfssecure/
[root@desktop0 nfssecure]# touch 4
[root@desktop0 nfssecure]# ll
total 0
-rw-r--r--. 1 nfsnobody nfsnobody 0 Oct 19 21:46 4

　　

[root@server0 ~]# cd /protected/
[root@server0 protected]# mkdir project

[root@server0 ~]# chown ldapuser0:ldapuser0 /protected/project/
[root@server0 ~]# ll /protected/project/ -d
drwxr-xr-x. 2 ldapuser0 root 6 Oct 19 21:50 /protected/project/

[root@desktop0 ~]# su - ldapuser0
[ldapuser0@desktop0 ~]$ cd /mnt/nfssecure/project

[ldapuser0@desktop0 project]$ touch 4
[ldapuser0@desktop0 project]$ ll
total 0
-rw-rw-r--. 1 ldapuser0 ldapuser0 0 Oct 19 21:52 4

　　

[root@server0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server0.keytab

[root@server0 ~]# vim /etc/exports
/public *.example.com(ro)
/protected *.example.com(rw,sec=krb5p)
[root@server0 ~]# exportfs -r


[root@server0 ~]# systemctl restart nfs-secure
[root@server0 ~]# systemctl enable nfs-secure

[root@server0 ~]# systemctl restart nfs-secure-server
[root@server0 ~]# systemctl enable nfs-secure-server



[root@desktop0 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop0.keytab

[root@desktop0 ~]# systemctl restart nfs-secure
[root@desktop0 ~]# systemctl restart nfs-secure-server
[root@desktop0 ~]# systemctl enable nfs-secure-server
[root@desktop0 ~]# systemctl enable nfs-secure

[root@desktop0 ~]# systemctl restart nfs-server
[root@desktop0 ~]# systemctl enable nfs-server

[ldapuser0@desktop0 ~]$ vim /etc/fstab
server0.example.com:/public /mnt/nfsmount nfs defaults 0 0
server0.example.com:/protected /mnt/nfssecure nfs defaults,sec=krb5p,v4.2 0 0

[root@desktop0 ~]# mount -a
[root@desktop0 ~]# df -h

　　

[root@desktop0 ~]# su - ldapuser0
[ldapuser0@desktop0 ~]$ ll /mnt/
ls: cannot access /mnt/nfssecure: Operation not permitted
total 4
drwxr-xr-x. 3 root root 4096 Oct 19 21:20 data
drwxr-xr-x. 2 root root    6 Oct 19 21:39 nfsmount
??????????? ? ?    ?       ?            ? nfssecure

[root@desktop0 ~]# ssh ldapuser0@loaclhost
kerberos
[ldapuser0@desktop0 ~]$ ll /mnt