前面文章裏面提到ipa +nfs 沒有昨天,是密鑰的問題,通過幾天的查找文檔與測試,終於能夠了,具體以下:html
cat << EOF >/tmp/nfs_add_des.ldif dn: cn=DADI.COM,cn=kerberos,dc=dadi,dc=com changetype: modify add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:normal - add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: des-cbc-crc:special - add: krbDefaultEncSaltTypes krbDefaultEncSaltTypes: des-cbc-crc:special EOF sed -i 's/^ $//g' /tmp/nfs_add_des.ldif ldapmodify -x -D "cn=directory manager" -w 111111 -h ipa.dadi.com -p 389 -f /tmp/nfs_add_des.ldif vi /etc/krb5.conf [libdefaults] allow_weak_crypto = true supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal /etc/init.d/krb5kdc restart
kinit admin ipa host-add nfs3.dadi.com ipa service-add nfs/nfs3.dadi.com
##添加fsm /home 目錄 ipa automountkey-add default auto.home --key=fsm --info=-fstype=nfs4,rw,sec=krb5i,proto=tcp,vers=4 nfs3.dadi.com:/export/fsm 或者是新建一個Automount Maps 默認爲default ipa automountlocation-add dmz ipa automountmap-find dmz ipa automountmap-add dmz auto.home ipa automountkey-add dmz auto.master --key=/home --info=auto.home ipa automountkey-add dmz auto.home --key=fsm --info=-fstype=nfs4,rw,sec=krb5i,proto=tcp,vers=4 nfs3.dadi.com:/export/fsm
yum -y install ipa-client nfs-utils ipa-admintools openldap-clients ipa-client-install --mkhomedir --no-ntp --domain=dadi.com --server=ipa.dadi.com --no-sssd -p admin ipa.dadi.com 執行: kinit admin ipa-getkeytab -s ipa.dadi.com -p host/nfs3.dadi.com -k /tmp/krb5.keytab ipa-getkeytab -s ipa.dadi.com -p nfs/nfs3.dadi.com -k /tmp/krb5.keytab -e des-cbc-crc scp /tmp/krb5.keytab nfs3.dadi.com:/tmp nfs3.dadi.com 導入keytab: rm -f /etc/krb5.keytab ( echo rkt /tmp/krb5.keytab; echo wkt /etc/krb5.keytab) |ktutil ###查看 klist -etk perl -npe 's/#SECURE_NFS="yes"/SECURE_NFS="yes"/g' -i /etc/sysconfig/nfs cat << EOF > /etc/exports /export *(rw,sec=sys:krb5:krb5i:krb5p) EOF mkdir /export/fsm && cp /etc/skel/.bash* /export/fsm && chmod 700 /export/fsm && chown -R fsm:fsm /export/fsm service rpcidmapd start service nfs start service rpcsvcgssd start service rpcgssd start chkconfig rpcgssd on chkconfig rpcsvcgssd on chkconfig nfs on chkconfig rpcidmapd on vi /etc/krb5.conf [libdefaults] allow_weak_crypto = true
五、client.dadi.com 上配置:shell
kinit adminipa-getkeytab -s ipa.dadi.com -p nfs/client.dadi.com -k /etc/krb5.keytab -e des-cbc-crc vi /etc/krb5.conf [libdefaults] allow_weak_crypto = true ipa-client-automount --location=default -S --server=ipa.dadi.com 卸載: ipa-client-automount --uninstall chkconfig rpcgssd on service rpcgssd start service rpcidmapd start chkconfig rpcidmapd on ipa service-show nfs/client.dadi.com Principal: nfs/client.dadi.com@DADI.COM Keytab: True Managed by: client.dadi.com
#ssh -l fsm client.dadi.com #df -mhFilesystem Size Used Avail Use% Mounted on nfs3.dadi.com:/export/fsm 51G 180M 49G 1% /home/fsm 已經自動mount 了, #mount nfs3.dadi.com:/export/fsm on /home/fsm type nfs (rw,sec=krb5i,vers=4,addr=192.88.50.51,clientaddr=192.88.50.49)
編輯/etc/sysconfig/autofs 添加另一臺 ldap 服務器地址 LDAP_URI=ldap://ipa.dadi.com ldap://ipa1.dadi.com
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerb-nfs.html http://www.miljan.org/main/2010/10/18/freeipa-and-automount-nis-maps/