Kerberos+LDAP+NFSv4 实现单点登录(中)

五.nfs服务器的安装
1.安装nfs-kernel-server
root@debian:~# apt-get install nfs-kernel-server nfs-common

修改/etc/default/nfs-kernel-server文件

NEED_SVCGSSD=""
改为
NEED_SVCGSSD="yes"

重启nfs-kernel-server

root@debian:~# /etc/init.d/nfs-kernel-server stop
root@debian:~# /etc/init.d/nfs-kernel-server start
root@debian:~# ps -e |grep gss
10275 ?        00:00:00 rpc.svcgssd

2.安装libnss-ldapd、nslcd
为了获取ldap用户信息,要安装libnss-ldapd、nslcd
在新立得选上libnss-ldapd、nslcd会自动将libpam-ldapd、nscd、nslcd-utils三个包打上安装标记,可手工将该三个包去掉安装标记,不需此三个包

root@debian:~# apt-get install libnss-ldapd nslcd

注意安装nslcd配置过程中,提示输入LDAP服务器地址的输入框默认了uri ldapi:/// ,一定要将 ldapi 改为 ldap ,因为ldapi:///表示用在unix域

1)nslcd
安装过程中
ldap server uri 填 ldap://192.168.1.101/
ldap服务器搜索起点 填 dc=ctp,dc=net

查看配置文件

root@debian:~# cat /etc/nslcd.conf
#The user and group nslcd should run as.
uid nslcd
gid nslcd

#The location at which the LDAP server(s) should be reachable.
#填LDAP服务器地址,即kdc服务器地址
uri ldap://192.168.1.101/

#The search base that will be used for all queries.
base dc=ctp,dc=net

root@debian:~#

2)libnss-ldapd
安装过程中
name services to configure 选 [*] passwd

新建测试目录
root@debian:~# mkdir /home/linlin/share

将该目录属性改为用户ID及用户组ID都为4001,即为ldap用户krblinlin的uidNumber/gidNumber,但并在nfs客/服两主机本地不存在该ID用户
root@debian:~# chown 4001:4001 /home/linlin/share

2.1)假定没选[*] passwd

linlin@debian:~$ ls -ld /home/linlin/share
drwxr-xr-x 2 4001 4001 4096 9月  18 21:13 /home/linlin/share

则取不到ldap用户信息

2.2)可重设libnss-ldapd,选上[*] passwd
root@debian:~# dpkg-reconfigure libnss-ldapd

...
┌───────────┤  正在设定 libnss-ldapd  ├──────────────────────────┐  
│  For this package to work, you need to modify the /etc/nsswitch.conf file to use the ldap datasource. │  
│  You can select the services that should have LDAP lookups enabled. The new LDAP lookups will be added│
│as the last datasource. Be sure to review these changes.                                               │  
│  Name services to configure:                                                                          │  
│    [ ] hosts                                                                                          │  
│    [ ] netgroup                                                                                       │  
│    [ ] networks                                                                                       │  
│    [*] passwd                                                                                         │  
│    [ ] protocols                                          
...

/etc/nsswitch.conf: enable LDAP lookups for passwd
root@debian:~#

查看配置文件,可见passwd一行后添加了ldap

root@debian:~# cat /etc/nsswitch.conf
passwd:         compat ldap
group:          compat
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
root@debian:~#
linlin@debian:~$ ls -ld /home/linlin/share
drwxr-xr-x 2 krblinlin 4001 4096 9月  18 21:13 /home/linlin/share

则已获取显示ldap用户信息,krblinlin为ldap用户,同时也是Kerberos用户
获取用户信息很重要,因为nfs客/服两端的认证用户信息要匹配,即两边的域+用户名要一致

注:本实验只获取ldap用户的用户名,无法获取ldap用户的所属用户组名(如上仍显示用户组ID 4001),但不影响实验效果

3.网络共享
本实验目的NFSv4认证采用安全性强的gss/krb5认证(Kerberos),而不是弱的系统认证(AUTH_SYS)

编辑/etc/exports文件

root@debian:~# cat /etc/exports
/home/linlin/share  gss/krb5(rw,sync,no_subtree_check)
root@debian:~#

执行导出
root@debian:~# exportfs -r

查看导出

root@debian:~# exportfs -v
/home/linlin/share
        gss/krb5(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,root_squash,no_all_squash)
root@debian:~#

4.问题解决
nfs服务器没有启动rpc.idmapd,导致nfs客户机没写权限
1)

root@debian:~# rpc.idmapd
rpc.idmapd: libnfsidmap: using (default) domain: ctp.net
rpc.idmapd: libnfsidmap: Realms list: 'CTP.NET'
rpc.idmapd: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch

root@debian:~# ps -e|grep rpc
  634 ?        00:00:00 rpciod
  757 ?        00:00:00 rpcbind
 1188 ?        00:00:00 rpc.svcgssd
 1261 ?        00:00:00 rpc.mountd
root@debian:~#

手工运行rpc.idmapd仍没启动rpc.idmapd

2)
原来nfs服务器的nfs-common要重启

root@debian:~# /etc/init.d/nfs-common stop
root@debian:~# /etc/init.d/nfs-common start

root@debian:~# ps -e|grep rpc
  634 ?        00:00:00 rpciod
  757 ?        00:00:00 rpcbind
14256 ?        00:00:00 rpc.svcgssd
14258 ?        00:00:00 rpc.mountd
15023 ?        00:00:00 rpc.statd
15041 ?        00:00:00 rpc.idmapd
root@debian:~#

nfs客户机已可写权限了