【LINUX】怎样配置NFSv4withkerberos自动认证-创新互联

环境

• Red Hat Enterprise Linux 6 and below
• NFS protocol versions 3 and 4

问题

• How to configure NFSv4 with kerberos authentication in Red Hat Enterprise Linux 5?
• GIDs of users in more than 16 groups are not recognized properly on NFS in RHEL

决议

To allow NFS manipulate properly the file permissions of users that participate in more than 16 Groups, RPCSEC_GSS and Kerberos need to be used instead the default authentication method (AUTH_SYS). To configure Kerberos and NFSv4, the following article could be used :

成都创新互联-成都网站建设公司，专注网站建设、成都网站建设、网站营销推广，空间域名，虚拟主机，成都网站托管有关企业网站制作方案、改版、费用等问题，请联系成都创新互联。

Environment used in this procedure :

• Red Hat Enterprise Linux 5.5 x86_64 server as NFSv4 server and KDC - hostname server.example.com
• Red Hat Enterprise Linux 4 x86_64 as NFS client - hostname client.example.com

Important points :

• Time Synchronization:  All machines that will participate in Kerberos authentication must have a reliable, synchronized time source. Most large organization offer their own time sources. You can use the RHEL configuration tool system-config-time to set this up. So, time of both the server and clients will be same.
• Hostnames : All hosts must have their hostname set to the fully qualified hostname as reported by DNS. Both forward and reverse mapping must work properly.
• The host may be referenced by a CNAME, but the official host name (as reported by hostname) must be an ‘A’ record. This is important; if you don’t have this setup properly then some things will work, while other things will fail mysteriously. If the host name does not match the reverse DNS lookup, Kerberos authentication will fail.
• You need to choose a kerberos realm. A kerberos realm is completely different from a DNS domain, but in most cases you will want to use the same name. By convention, kerberos realms are all upper case. The kerberos realm used in this article will be "EXAMPLE.COM".

Packages needed :

On client machine, make it sure that following packages are installed :

• krb5-libs
• krb5-workstation
• pam_krb5
• cyrus-sasl-gssapi

On server machine, make it sure that following package is installed :

• krb5-server

1. Configuring Kerberos service on the Server :

   1.1 There are a number of files that have to be manually edited on the server :

   Edit /etc/krb5.conf

   The stock version of this file will have EXAMPLE.COM or example.com everywhere you want to put your own realm or domain name. The two sections in question are libdefaults and domain_realm. The other sections do not need to be changed. In libdefaults, enter your own Kerberos realm name. You may want to set the clock skew to a lower value (provided you are synchronizing time with ntp). The file will look like :

   Raw
   分享名称：【LINUX】怎样配置NFSv4withkerberos自动认证-创新互联
   转载来源：http://bjjierui.cn/article/ehiso.html