Kerberos+LDAP+NFSv4 实现单点登录(中)
Kerberos+LDAP+NFSv4 实现单点登录(中)
五.nfs服务器的安装 修改/etc/default/nfs-kernel-server文件 重启nfs-kernel-server [email?protected]:~# /etc/init.d/nfs-kernel-server stop [email?protected]:~# /etc/init.d/nfs-kernel-server start [email?protected]:~# ps -e |grep gss 10275 ? 00:00:00 rpc.svcgssd 2.安装libnss-ldapd、nslcd
注意安装nslcd配置过程中,提示输入LDAP服务器地址的输入框默认了uri ldapi:///,一定要将 ldapi 改为 ldap,因为ldapi:///表示用在unix域 1)nslcd 查看配置文件 [email?protected]:~# cat /etc/nslcd.conf #The user and group nslcd should run as. uid nslcd gid nslcd #The location at which the LDAP server(s) should be reachable. #填LDAP服务器地址,即kdc服务器地址 uri ldap://192.168.1.101/ #The search base that will be used for all queries. base dc=ctp,dc=net [email?protected]:~# 2)libnss-ldapd 新建测试目录 将该目录属性改为用户ID及用户组ID都为4001,即为ldap用户krblinlin的uidNumber/gidNumber,但并在nfs客/服两主机本地不存在该ID用户 2.1)假定没选[*] passwd [email?protected]:~$ ls -ld /home/linlin/share drwxr-xr-x 2 4001 4001 4096 9月 18 21:13 /home/linlin/share 则取不到ldap用户信息 2.2)可重设libnss-ldapd,选上[*] passwd ... ┌───────────┤ 正在设定 libnss-ldapd ├──────────────────────────┐ │ For this package to work,you need to modify the /etc/nsswitch.conf file to use the ldap datasource. │ │ You can select the services that should have LDAP lookups enabled. The new LDAP lookups will be added│ │as the last datasource. Be sure to review these changes. │ │ Name services to configure: │ │ [ ] hosts │ │ [ ] netgroup │ │ [ ] networks │ │ [*] passwd │ │ [ ] protocols ... /etc/nsswitch.conf: enable LDAP lookups for passwd 查看配置文件,可见passwd一行后添加了ldap [email?protected]:~# cat /etc/nsswitch.conf passwd: compat ldap group: compat shadow: compat gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis [email?protected]:~# [email?protected]:~$ ls -ld /home/linlin/share drwxr-xr-x 2 krblinlin 4001 4096 9月 18 21:13 /home/linlin/share 则已获取显示ldap用户信息,krblinlin为ldap用户,同时也是Kerberos用户 注:本实验只获取ldap用户的用户名,无法获取ldap用户的所属用户组名(如上仍显示用户组ID 4001),但不影响实验效果 3.网络共享 编辑/etc/exports文件 [email?protected]:~# cat /etc/exports /home/linlin/share gss/krb5(rw,sync,no_subtree_check) [email?protected]:~# 执行导出 查看导出 [email?protected]:~# exportfs -v /home/linlin/share gss/krb5(rw,wdelay,root_squash,no_subtree_check,sec=sys,rw,no_all_squash) [email?protected]:~# 4.问题解决 [email?protected]:~# rpc.idmapd rpc.idmapd: libnfsidmap: using (default) domain: ctp.net rpc.idmapd: libnfsidmap: Realms list: ‘CTP.NET‘ rpc.idmapd: libnfsidmap: loaded plugin /lib/x86_64-linux-gnu/libnfsidmap/nsswitch.so for method nsswitch [email?protected]:~# ps -e|grep rpc 634 ? 00:00:00 rpciod 757 ? 00:00:00 rpcbind 1188 ? 00:00:00 rpc.svcgssd 1261 ? 00:00:00 rpc.mountd [email?protected]:~# 手工运行rpc.idmapd仍没启动rpc.idmapd 2) [email?protected]:~# /etc/init.d/nfs-common stop [email?protected]:~# /etc/init.d/nfs-common start [email?protected]:~# ps -e|grep rpc 634 ? 00:00:00 rpciod 757 ? 00:00:00 rpcbind 14256 ? 00:00:00 rpc.svcgssd 14258 ? 00:00:00 rpc.mountd 15023 ? 00:00:00 rpc.statd 15041 ? 00:00:00 rpc.idmapd [email?protected]:~# nfs客户机已可写权限了 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |