share "/test" on stationX.example.com to allowed thru NFSV4 using "Kerberos" security method with example TESTSERVER1.EXAMPLE.COM and IP 192.168.30.119
Integrating NIS + KERBEROS + NFS4
Configuring NIS
/etc/sysconfig/network
NISDOMAIN=testserver1
YPSERV_ARGS='-p 808'
Save and exit
nisdomainname testserver1
service network restart
chkconfig network on
yum -y install ypserv*
service ypserv restart
chkconfig ypserv on
service portmap restart
chkconfig portmap on
NOTE: NTP time should same on both machines else there might be an issue with the Kerberos
Useradd user1 < Donot provide password>
/usr/lib/ypinit –m or make –C /var/yp
On stationY.example.com
System->Administration->Authentication->Enable NIS Support
NIS Domain -> testserv1
NIS Server -> stationx.example.com
ypcat passwd “this must show user by anme user1 and after adding every user you must type
“make –C /var/yp” then only user will be added to NFS database
Configuring Kerberos
yum -y install krb5*
chkconfig kadmin on
chkconfig krb5kdc on
Note : Before configuration take the backups of the original files
Help :
kadmin.local: ?
Available kadmin.local requests:
add_principal, addprinc, ank Add principal
delete_principal, delprinc Delete principal
modify_principal, modprinc Modify principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs,
get_principals, getprincs
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols,
get_policies, getpols
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
list_requests, lr, ? List available requests.
quit, exit, q Exit program.
vi /etc/krb5.conf
[libdefaults]
default_realm = TESTSERVER1.EXAMPLE.COM
[realm]
TESTSERVER1.EXAMPLE.COM = {
kdc = 192.168.30.119:88
admin_server = 192.168.30.119:749
remove default_domain
[domain_realm] CAREFUL DO NOT BE IN HURRY HERE
[domain_realm]
testserver1.example.com = TESTSERVER1.EXAMPLE.COM
stationy.example.com = TESTSERVER1.EXAMPLE.COM
[adddefaults]
validate = true
save and exit
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@TESTSERVER1.EXAMPLE.COM *
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
TESTSERVER1.EXAMPLE.COM = {
master_key_type = des3-hmac-sha1 (Uncomment)
default_principal_flags=+preauth (need to be added)
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
krb5_util create -r STATIONX.EXAMPLE.COM -s
any password this is very import to remember and secure it
kadmin.local
addprinc user1 {password say abc123}
addprinc root/admin
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin { to check kadmin5.acl }
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
addprinc -randkey host/testserver1.example.com
ktadd -k /etc/krb5.keytab host/testserver1.example.com
quit
restorecon -R -v /var/kerberos/krb5kdc
restorecon -R -v /var/log
service kadmin restart
service krb5kdc restart
scp /etc/krb5.conf stationY.example.com:/etc { where you needed to add the host to the Kerberos}
On stationY.example.com
System -> Administration -> Authentication -> Enable kerberos Support
chcon -t krb5_conf_t /etc/krb5.conf
kadmin -p root/acdmin
addprinc -randkey host/stationY.example.com
ktadd -k /etc/krb5.keytab host/stationY.example.com
restorecon /etc/krb5.keytab
Note : login on tty1 as user1 and password abc123
type klist you must see an ticket form Kerberos server
Configuring NFS On testserver1.example.com
useradd nfsuser
vim /etc/sysconfig/nfs
LOCKD_TCPPORT=1200
LOCKD_UDPPORT=1200
MOUNTD_PORT=1201
STATD_PORT=1202
SECURE_NFS="yes"
Mkdir /test
Chmod 775 /test
Chown nfsuser.nfsuser /test
vim /etc/exports ( man export)
Options : gss/krb5 (authentication only)
gss/ krb5i (integrity protection)
gss/krb5p (privacy protection)
/nfsv4share gss/krb5i(rw,sync,fsid=0,no_subtree_check)
Save and exit
vim /etc/exports /exports gss/krb5i(rw,sync,fsid=0,crossmnt)
/exports/home/nfs gss/krb5i(rw,sync)
Same and exit
exportfs –r
kadmin.local
addprinc -randkey nfs/testserver1.example.com
ktadd nfs/testserver1.example.com
ktadd -e des-cbc-md5:normal -k /etc/krb5.keytab nfs/testserver1.example.com
quit
Note : des-cbc-md5:normal from cat /var/kerberos/krb5kdc/kdc.conf
/etc/init.d/rpcidmapd restart
Chkconfig rpcidmapd on
/etc/init.d/rpcsvcgssd restart
Chkconfig rpcsvcgssd on
/etc/init.d/rpcgssd restart
Chkconfig rpcgssd on
/etc/init.d/kadmin restart
Chkconfig kadmin on
/etc/init.d/krb5kdc restart
Chkconfig krb5kdc on
/etc/init.d/nfs restart
Chkconfig nfs on
/etc/init.d/portmap restart
Chkconfig portmap on
/etc/init.d/ypserv restart
Chkconfig ypserv on
make -C /var/yp ( this command will be used when every new user has been added into the NIS server to update username in NIS database
On Client Server
kadmin -p root/admin
addprinc -randkey nfs/stationY.example.com
ktadd nfs/stationY.example.com
ktadd -e des-cbc-md5:normal -k /etc/krb5.keytab nfs/stationY.example.com
quit
vim /etc/sysconfig/nfs
SECURE_NFS="yes"
Save and exit
/etc/init.d/rpcidmapd restart
Chkconfig rpcidmapd on
/etc/init.d/rpcsvcgssd restart
Chkconfig rpcsvcgssd on
/etc/init.d/rpcgssd restart
Chkconfig rpcgssd on
/etc/init.d/nfs restart
Chkconfig nfs on
mkdir –p /mnt/test
Vim /etc/fstab
testserver1 .example.com:/ /mnt/nfsv4share nfs4 default,sec=krb5i 0 0
mount –a à give some error
1) Check for iptables
2) Check for selinux
3) Check for configeations
4) And restart all the services
TEST
login in tty1 as nfsuser;
cd /mnt/test;
touch a b
0 Comment:
Post a Comment