Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Kerberos+LDAP+NFSv4 implements single sign-on (middle)

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Kerberos+LDAP+NFSv4 for single sign-on (middle)

V. Installation of the nfs server

1. Install nfs-kernel-server

root@debian:~# apt-get install nfs-kernel-server nfs-common

Modify the/etc/default/nfs-kernel-server file

will

NEED_SVCGSSD=""

changed to

NEED_SVCGSSD="yes"

Restart nfs-kernel-server

root@debian:~# /etc/init.d/nfs-kernel-server stoproot@debian:~# /etc/init.d/nfs-kernel-server startroot@debian:~# ps -e |grep gss10275 ? 00:00:00 rpc.svcgssd

2. Install libnss-ldapd, nslcd

To get ldap user information, install libnss-ldapd, nslcd

Libnss-ldapd, nslcd will automatically be selected in the new Libpam-ldapd, nscd, nslcd-utils three packages marked with installation marks, you can manually remove the three packages installation marks, do not need these three packages

root@debian:~# apt-get install libnss-ldapd nslcd

Note that during the installation of nslcd configuration, the input box prompted for the LDAP server address defaults to uri ldapi:///. Be sure to change ldapi to ldap , because ldapi:///indicates that it is used in the unix domain.

1)nslcd

during installation

ldap server uri fill ldap://192.168.1.101/

ldap server search start dc=ctp,dc=net

View Profile

root@debian:~# cat /etc/nslcd.conf#The user and group nslcd should run as.uid nslcdgid nslcd#The location at which the LDAP server(s) should be reachable.# Enter LDAP server address, i.e. kdc server address uri ldap://192.168.1.101/#The search base that will be used for all queries.base dc=ctp,dc=netroot@debian:~#

2)libnss-ldapd

during installation

name services to configure Select [*] passwd

New Test Directory

root@debian:~# mkdir /home/linlin/share

Change the directory attribute to user ID and user group ID 4001, i.e. uidNumber/gidNumber of ldap user krblinlin, but the user ID does not exist locally in nfs guest/server hosts.

root@debian:~# chown 4001:4001 /home/linlin/share

2.1)Assuming [*] passwd is not selected

linlin@debian:~$ ls -ld /home/linlin/sharedrwxr-xr-x 2 4001 4001 4096 Sep 18 21:13 /home/linlin/share

ldap user information is not available.

2.2)libnss-ldapd can be reset, select [*] passwd

root@debian:~# dpkg-reconfigure libnss-ldapd

... For this package to work, you need to modify the /etc/nsswitch.conf file to use the ldap datasource.│ │ You can select the services that should have LDAP lookups enabled. The new LDAP lookups will be added││as the last datasource. Be sure to review these changes. │ │ Name services to configure: │ │ [ ] hosts │ │ [ ] netgroup │ │ [ ] networks │ │ [*] passwd │ │ [ ] protocols ...

/etc/nsswitch.conf: enable LDAP lookups for passwd

root@debian:~#

Looking at the configuration file, you can see that ldap was added after the passwd line

root@debian:~# cat /etc/nsswitch.confpasswd: compat ldapgroup: compatshadow: compatgshadow: fileshosts: files mdns4_minimal [NOTFOUND=return] dnsnetworks: filesprotocols: db filesservices: db filesethers: db filesrpc: db filesnetgroup: nisroot@debian:~#linlin@debian:~$ ls -ld /home/linlin/sharedrwxr-xr-x 2 krblinlin 4001 4096 Sep 18 21:13 /home/linlin/share

ldap user information has been obtained,krblinlin is ldap user, and kerosuser

It is important to obtain user information, because the authentication user information at both ends of nfs guest/server should match, that is, the domain + username on both sides should be consistent.

Note: This experiment only obtains the user name of ldap user, and cannot obtain the user group name of ldap user (as above, user group ID 4001 is still displayed), but it does not affect the experimental effect.

3. network share

The purpose of this lab is to use strong gss/krb5 authentication (Kerberos) instead of weak system authentication (AUTH_SYS) for NFSv4 authentication.

Edit the/etc/exports file

root@debian:~# cat /etc/exports/home/linlin/share gss/krb5(rw,sync,no_subtree_check)root@debian:~#

perform the export

root@debian:~# exportfs -r

view the export

root@debian:~# exportfs -v/home/linlin/share gss/krb5(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,root_squash,no_all_squash)root@debian:~#

4. problem solving

The nfs server does not start rpc.idmapd, resulting in the nfs client not having write permissions.

1)

root@debian:~# rpc.idmapdrpc.idmapd: libnfsidmap: using (default) domain: ctp.netrpc.idmapd: libnfsidmap: Realms list: 'CTP.NET'rpc.idmapd: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitchroot@debian:~# ps -e|grep rpc 634 ? 00:00:00 rpciod 757 ? 00:00:00 rpcbind 1188 ? 00:00:00 rpc.svcgssd 1261 ? 00:00:00 rpc.mountdroot@debian:~#

Rpc.idmapd is still not started when running manually

2)

The original nfs server nfs-common to restart

root@debian:~# /etc/init.d/nfs-common stoproot@debian:~# /etc/init.d/nfs-common startroot@debian:~# ps -e|grep rpc 634 ? 00:00:00 rpciod 757 ? 00:00:00 rpcbind14256 ? 00:00:00 rpc.svcgssd14258 ? 00:00:00 rpc.mountd15023 ? 00:00:00 rpc.statd15041 ? 00:00:00 rpc.idmapdroot@debian:~#nfs Client is writeable

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report