nfs

##########nfs##########

  網絡文件系統(NFS)是Unix系統和網絡附加存儲文件管理器常用的網絡文件系統,允許多個客戶端通過網絡共享文件訪問。它可用於提供對共享二進制目錄的訪問,也可用於允許用戶在同一工作組中從不同客戶端訪問其文件。 

1.安裝服務，設置火牆

[root@localhost smbshare]# systemctl start firewalld

[root@localhost smbshare]# yum install nfs-utils -y##服務的安裝

[root@localhost smbshare]# systemctl start nfs-server

[root@localhost smbshare]# systemctl enable  nfs-server

ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'

[root@localhost ~]# firewall-cmd --list-all##列出區域設置

public (default, active)

  interfaces: eth0 eth1

  sources:

  services: dhcpv6-client ssh

  ports: 8080/tcp

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

1)

[root@localhost smbshare]# firewall-cmd --permanent --add-service=nfs##開啓nfs服務

success

[root@localhost smbshare]# firewall-cmd --reload

success

 

[root@localhost smbshare]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0 eth1

  sources:

  services: dhcpv6-client nfs ssh

  ports: 8080/tcp

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

 

測試：

[root@foundation13 kiosk]# showmount -e 172.25.254.113

clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)

 

2)

[root@localhost smbshare]# firewall-cmd --permanent --add-service=rpc-bind ##添加服務

success

[root@localhost smbshare]# firewall-cmd --reload

success

 

[root@localhost ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0 eth1

  sources:

  services: dhcpv6-client nfs rpc-bind ssh

  ports: 8080/tcp

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

 

測試：

[root@foundation13 kiosk]# showmount -e 172.25.254.113

clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)

 

3）

[root@localhost smbshare]# firewall-cmd --permanent --add-service=mountd##添加服務mountd

success

[root@localhost smbshare]# firewall-cmd --reload

success

 

[root@localhost ~]# firewall-cmd --list-allpublic (default, active)

  interfaces: eth0 eth1

  sources:

  services: dhcpv6-client mountd nfs rpc-bind ssh

  ports: 8080/tcp

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

 

 

測試：

[root@foundation13 kiosk]# showmount -e 172.25.254.113

Export list for 172.25.254.113:

 

2.nfs配置

[root@localhost ~]# mkdir /public

 

[root@localhost ~]# chmod 777 /public

 

[root@localhost ~]# vim /etc/exports

  1 /public *(sync)##public共享給所有人並同步數據

 

[root@localhost ~]# exportfs -rv

exporting *:/public

 

測試：

[kiosk@foundation78 Desktop]$ showmount -e 172.25.254.113

Export list for 172.25.254.113:

/public *

 

/public*.example.com(sync,rw)##public共享給example.com域名的所有主機 （同步數據，可讀可寫）

 

/public172.25.254.78(sync,ro)##public共享給172.25.254.78 （同步數據，只讀）

 

/public*(sync,no_root_squsah,rw)##public共享給所有人，當客戶端使用root掛載時不轉換用戶身份

 

/public*(sync,rw,anonuid=1000,anougid=1001)##public共享給所有人，uid=1000,gid=1001,用戶必須在客戶端存在

 

exportfs -rv##刷新服務，讓更改生效

 

 

3.利用kerberos保護nfs輸出

 

*在server上

開啓kerberos認證，得到ldap用戶

[root@localhost ~]# yum install sssd krb5-workstation.x86_64  authconfig-gtk.x86_64 -y

 

authconfig-gtk

 

wget http://172.25.254.254/pub/keytabs/server0.keytab -O /etc/krb5.keytab

 

 

 

systemctl start nfs-secure-server

systemctl enable nfs-secure-server

 

 

[root@localhost ~]# vim /etc/exports

  1 /public *(rw,sec=krb5p)

 

exportfs -rv

 

 

*在desktop上

 

開啓kerberos認證，得到ldap用戶

 

wget http://172.25.254.254/pub/keytabs/desktop0.keytab -O /etc/krb5.keytab

systemctl start nfs-secure-server

systemctl enable nfs-secure-server

 

 

[root@localhost ~]# vim /etc/exports

  1 /public *(rw,sec=krb5p)

 

exportfs -rv

測試：