In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/02 Report--
Kerberos+LDAP+NFSv4 for single sign-on (middle)
V. Installation of the nfs server
1. Install nfs-kernel-server
root@debian:~# apt-get install nfs-kernel-server nfs-common
Modify the/etc/default/nfs-kernel-server file
will
NEED_SVCGSSD=""
changed to
NEED_SVCGSSD="yes"
Restart nfs-kernel-server
root@debian:~# /etc/init.d/nfs-kernel-server stoproot@debian:~# /etc/init.d/nfs-kernel-server startroot@debian:~# ps -e |grep gss10275 ? 00:00:00 rpc.svcgssd
2. Install libnss-ldapd, nslcd
To get ldap user information, install libnss-ldapd, nslcd
Libnss-ldapd, nslcd will automatically be selected in the new Libpam-ldapd, nscd, nslcd-utils three packages marked with installation marks, you can manually remove the three packages installation marks, do not need these three packages
root@debian:~# apt-get install libnss-ldapd nslcd
Note that during the installation of nslcd configuration, the input box prompted for the LDAP server address defaults to uri ldapi:///. Be sure to change ldapi to ldap , because ldapi:///indicates that it is used in the unix domain.
1)nslcd
during installation
ldap server uri fill ldap://192.168.1.101/
ldap server search start dc=ctp,dc=net
View Profile
root@debian:~# cat /etc/nslcd.conf#The user and group nslcd should run as.uid nslcdgid nslcd#The location at which the LDAP server(s) should be reachable.# Enter LDAP server address, i.e. kdc server address uri ldap://192.168.1.101/#The search base that will be used for all queries.base dc=ctp,dc=netroot@debian:~#
2)libnss-ldapd
during installation
name services to configure Select [*] passwd
New Test Directory
root@debian:~# mkdir /home/linlin/share
Change the directory attribute to user ID and user group ID 4001, i.e. uidNumber/gidNumber of ldap user krblinlin, but the user ID does not exist locally in nfs guest/server hosts.
root@debian:~# chown 4001:4001 /home/linlin/share
2.1)Assuming [*] passwd is not selected
linlin@debian:~$ ls -ld /home/linlin/sharedrwxr-xr-x 2 4001 4001 4096 Sep 18 21:13 /home/linlin/share
ldap user information is not available.
2.2)libnss-ldapd can be reset, select [*] passwd
root@debian:~# dpkg-reconfigure libnss-ldapd
... For this package to work, you need to modify the /etc/nsswitch.conf file to use the ldap datasource.│ │ You can select the services that should have LDAP lookups enabled. The new LDAP lookups will be added││as the last datasource. Be sure to review these changes. │ │ Name services to configure: │ │ [ ] hosts │ │ [ ] netgroup │ │ [ ] networks │ │ [*] passwd │ │ [ ] protocols ...
/etc/nsswitch.conf: enable LDAP lookups for passwd
root@debian:~#
Looking at the configuration file, you can see that ldap was added after the passwd line
root@debian:~# cat /etc/nsswitch.confpasswd: compat ldapgroup: compatshadow: compatgshadow: fileshosts: files mdns4_minimal [NOTFOUND=return] dnsnetworks: filesprotocols: db filesservices: db filesethers: db filesrpc: db filesnetgroup: nisroot@debian:~#linlin@debian:~$ ls -ld /home/linlin/sharedrwxr-xr-x 2 krblinlin 4001 4096 Sep 18 21:13 /home/linlin/share
ldap user information has been obtained,krblinlin is ldap user, and kerosuser
It is important to obtain user information, because the authentication user information at both ends of nfs guest/server should match, that is, the domain + username on both sides should be consistent.
Note: This experiment only obtains the user name of ldap user, and cannot obtain the user group name of ldap user (as above, user group ID 4001 is still displayed), but it does not affect the experimental effect.
3. network share
The purpose of this lab is to use strong gss/krb5 authentication (Kerberos) instead of weak system authentication (AUTH_SYS) for NFSv4 authentication.
Edit the/etc/exports file
root@debian:~# cat /etc/exports/home/linlin/share gss/krb5(rw,sync,no_subtree_check)root@debian:~#
perform the export
root@debian:~# exportfs -r
view the export
root@debian:~# exportfs -v/home/linlin/share gss/krb5(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,root_squash,no_all_squash)root@debian:~#
4. problem solving
The nfs server does not start rpc.idmapd, resulting in the nfs client not having write permissions.
1)
root@debian:~# rpc.idmapdrpc.idmapd: libnfsidmap: using (default) domain: ctp.netrpc.idmapd: libnfsidmap: Realms list: 'CTP.NET'rpc.idmapd: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitchroot@debian:~# ps -e|grep rpc 634 ? 00:00:00 rpciod 757 ? 00:00:00 rpcbind 1188 ? 00:00:00 rpc.svcgssd 1261 ? 00:00:00 rpc.mountdroot@debian:~#
Rpc.idmapd is still not started when running manually
2)
The original nfs server nfs-common to restart
root@debian:~# /etc/init.d/nfs-common stoproot@debian:~# /etc/init.d/nfs-common startroot@debian:~# ps -e|grep rpc 634 ? 00:00:00 rpciod 757 ? 00:00:00 rpcbind14256 ? 00:00:00 rpc.svcgssd14258 ? 00:00:00 rpc.mountd15023 ? 00:00:00 rpc.statd15041 ? 00:00:00 rpc.idmapdroot@debian:~#nfs Client is writeable
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.