##########nfs##########
網絡文件系統(NFS)是Unix系統和網絡附加存儲文件管理器常用的網絡文件系統,允許多個客戶端通過網絡共享文件訪問。它可用於提供對共享二進制目錄的訪問,也可用於允許用戶在同一工作組中從不同客戶端訪問其文件。
1.安裝服務,設置火牆
[root@localhost smbshare]# systemctl start firewalld
[root@localhost smbshare]# yum install nfs-utils -y##服務的安裝
[root@localhost smbshare]# systemctl start nfs-server
[root@localhost smbshare]# systemctl enable nfs-server
ln -s '/usr/lib/systemd/system/nfs-server.service' '/etc/systemd/system/nfs.target.wants/nfs-server.service'
[root@localhost ~]# firewall-cmd --list-all##列出區域設置
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
1)
[root@localhost smbshare]# firewall-cmd --permanent --add-service=nfs##開啓nfs服務
success
[root@localhost smbshare]# firewall-cmd --reload
success
[root@localhost smbshare]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client nfs ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
測試:
[root@foundation13 kiosk]# showmount -e 172.25.254.113
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
2)
[root@localhost smbshare]# firewall-cmd --permanent --add-service=rpc-bind ##添加服務
success
[root@localhost smbshare]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client nfs rpc-bind ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
測試:
[root@foundation13 kiosk]# showmount -e 172.25.254.113
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)
3)
[root@localhost smbshare]# firewall-cmd --permanent --add-service=mountd##添加服務mountd
success
[root@localhost smbshare]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-allpublic (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client mountd nfs rpc-bind ssh
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
測試:
[root@foundation13 kiosk]# showmount -e 172.25.254.113
Export list for 172.25.254.113:
2.nfs配置
[root@localhost ~]# mkdir /public
[root@localhost ~]# chmod 777 /public
[root@localhost ~]# vim /etc/exports
1 /public *(sync)##public共享給所有人並同步數據
[root@localhost ~]# exportfs -rv
exporting *:/public
測試:
[kiosk@foundation78 Desktop]$ showmount -e 172.25.254.113
Export list for 172.25.254.113:
/public *
/public*.example.com(sync,rw)##public共享給example.com域名的所有主機 (同步數據,可讀可寫)
/public172.25.254.78(sync,ro)##public共享給172.25.254.78 (同步數據,只讀)
/public*(sync,no_root_squsah,rw)##public共享給所有人,當客戶端使用root掛載時不轉換用戶身份
/public*(sync,rw,anonuid=1000,anougid=1001)##public共享給所有人,uid=1000,gid=1001,用戶必須在客戶端存在
exportfs -rv##刷新服務,讓更改生效
3.利用kerberos保護nfs輸出
*在server上
開啓kerberos認證,得到ldap用戶
[root@localhost ~]# yum install sssd krb5-workstation.x86_64 authconfig-gtk.x86_64 -y
authconfig-gtk
wget http://172.25.254.254/pub/keytabs/server0.keytab -O /etc/krb5.keytab
systemctl start nfs-secure-server
systemctl enable nfs-secure-server
[root@localhost ~]# vim /etc/exports
1 /public *(rw,sec=krb5p)
exportfs -rv
*在desktop上
開啓kerberos認證,得到ldap用戶
wget http://172.25.254.254/pub/keytabs/desktop0.keytab -O /etc/krb5.keytab
systemctl start nfs-secure-server
systemctl enable nfs-secure-server
[root@localhost ~]# vim /etc/exports
1 /public *(rw,sec=krb5p)
exportfs -rv
測試: