NFS(Network File System)即網絡文件系統,是FreeBSD系統支持的文件系統中的一種,它允許網絡中的計算機之間通過TCP/IP網絡共享資源。在NFS的應用中,本地NFS的客戶端應用可以透明地讀寫位於遠端NFS服務器上的文件,就像訪問本地文件一樣。
1.服務啓動
[root@desktop ~]# yum install nfs-utils ##下載服務[root@desktop ~]# systemctl enable nfs-server.service
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@desktop ~]# systemctl start nfs-server.service
[root@desktop ~]# firewall-cmd --permanent --add-service=nfs ##將相關服務添加到火牆策略
success
[root@desktop ~]# firewall-cmd --permanent --add-service=rpc-bind ##開啓服務端口
success
[root@desktop ~]# firewall-cmd --permanent --add-service=mountd ##開啓掛載服務
success
[root@desktop ~]# firewall-cmd --reload ##刷新火牆策略
success
[root@desktop ~]# showmount -e 172.25.254.140 ##測試命令
Export list for 172.25.254.140:
2.共享目錄
systemctl start nfs-server ##開啓服務
mkdir /public ##創建要共享的目錄
chmod 777 /public ##修改目錄權限以保證能被其他人訪問
touch /public/test{1..3} ##在共享目錄中創建新文件使實驗效果更明顯
vim /etc/exports ##man 5 exports
共享目錄 共享方式
/public *(sync) ##共享public目錄給所有人並數據同步
/public 172.25.40.0/24(sync) ##共享目錄給40網段
/public *.example.com(sync) ##共享目錄給.example.com域
/public 172.25.40.10(ro,sync) 172.25.40.250(rw,sync) ##共享目錄使10主機只讀,250主機可讀寫
/public *(sync,no_root_squash) ##當用戶使用root掛載是不改變用戶身份
/public *(sync,anonuid=1001,anongid=1000) ##用戶uid爲1001,gid爲1000
3.利用kerberos保護nfs輸出
****server端****
主機名改爲server40.example.com
[root@server40 ~]# yum install sssd krb5-workstation.x86_64 authconfig-gtk.x86_64 -y
[root@server40 ~]# authconfig-gtk ##開啓kerberos認證,得到ldap用戶
[root@server40 ~]# su - student
Last login: 六 6月 3 23:10:30 EDT 2017 on pts/1
[student@server40 ~]$ su - ldapuser1
Password: ##密碼爲kerberos
Last login: Sat Jun 3 23:12:34 EDT 2017 on pts/1
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ klist ##登陸成功
Ticket cache: KEYRING:persistent:1701:krb_ccache_aatOI6I
Default principal: [email protected]
Valid starting Expires Service principal
06/03/2017 23:29:19 06/04/2017 23:29:18 krbtgt/[email protected]
renew until 06/03/2017 23:29:19
-bash-4.2$ logout
[root@server40 ~]# wget http://172.25.254.254/pub/keytabs/server40.keytab -O /etc/krb5.keytab ##下載文件到指定目錄
--2017-06-03 23:35:12-- http://172.25.254.254/pub/keytabs/server40.keytab
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1258 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[============================================>] 1,258 --.-K/s in 0s
2017-06-03 23:35:12 (212 MB/s) - ‘/etc/krb5.keytab’ saved [1258/1258]
[root@server40 ~]# ktutil ##檢測是否得到證書
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/[email protected]
2 2 host/[email protected]
3 2 host/[email protected]
4 2 host/[email protected]
5 2 host/[email protected]
6 2 host/[email protected]
7 2 host/[email protected]
8 2 host/[email protected]
9 2 nfs/[email protected]
10 2 nfs/[email protected]
11 2 nfs/[email protected]
12 2 nfs/[email protected]
13 2 nfs/[email protected]
14 2 nfs/[email protected]
15 2 nfs/[email protected]
16 2 nfs/[email protected]
ktutil:
[root@server40 ~]# vim /etc/exports
[root@server40 ~]# exportfs -rvexporting *:/public
[root@server40 ~]# systemctl start nfs-secure-server
[root@server40 ~]# systemctl enable nfs-secure-server
ln -s '/usr/lib/systemd/system/nfs-secure-server.service' '/etc/systemd/system/nfs.target.wants/nfs-secure-server.service'
[root@server40 ~]# reboot
Connection to 172.25.40.11 closed by remote host.
Connection to 172.25.40.11 closed.
****desktop端****
[root@desktop40 ~]# hostnamectl set-hostname desktop40.example.com
[root@desktop40 ~]# vim /etc/yum.repos.d/rhel_dvd.repo
[root@desktop40 ~]# authconfig-gtk ##啓動認證創建ldap用戶
[root@desktop40 ~]# su - student
[student@desktop40 ~]$ su - ldapuser1
Password:
su: warning: cannot change directory to /home/guests/ldapuser1: No such file or directory
mkdir: cannot create directory '/home/guests': Permission denied
-bash-4.2$ klist
Ticket cache: KEYRING:persistent:1701:krb_ccache_VLRFCOm
Default principal: [email protected]
Valid starting Expires Service principal
06/03/2017 23:19:09 06/04/2017 23:19:09 krbtgt/[email protected]
renew until 06/03/2017 23:19:09
-bash-4.2$ logout
[root@desktop40 etc]# wget http://172.25.254.254/pub/keytabs/desktop40.keytab -O /etc/krb5.keytab
--2017-06-03 23:38:52-- http://172.25.254.254/pub/keytabs/desktop40.keytab
Connecting to 172.25.254.254:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274 (1.2K)
Saving to: ‘/etc/krb5.keytab’
100%[============================================>] 1,274 --.-K/s in 0s
2017-06-03 23:38:52 (199 MB/s) - ‘/etc/krb5.keytab’ saved [1274/1274]
[root@desktop40 etc]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/[email protected]
2 2 host/[email protected]
3 2 host/[email protected]
4 2 host/[email protected]
5 2 host/[email protected]
6 2 host/[email protected]
7 2 host/[email protected]
8 2 host/[email protected]
9 2 nfs/[email protected]
10 2 nfs/[email protected]
11 2 nfs/[email protected]
12 2 nfs/[email protected]
13 2 nfs/[email protected]
14 2 nfs/[email protected]
15 2 nfs/[email protected]
16 2 nfs/[email protected]
[root@desktop40 etc]# systemctl start nfs-secure
[root@desktop40 etc]# systemctl enable nfs-secure
ln -s '/usr/lib/systemd/system/nfs-secure.service' '/etc/systemd/system/nfs.target.wants/nfs-secure.service'
[root@desktop40 etc]# reboot
Connection to 172.25.40.10 closed by remote host.
Connection to 172.25.40.10 closed.
[root@desktop40 ~]# mount 172.25.40.11:/public /mnt -o sec=krb5p ##使用證書掛載
[root@desktop40 ~]# cd /mnt
[root@desktop40 mnt]# ls
file test1 test2 test3 ##分享成功