CentOS Bridge 설정

kvm 사용시 Bridge 설정 참고

 

  • sysctl 설정값 확인
[root@kvm-server01 ~]# sysctl -a |grep -i net.ipv4.ip_forward
net.ipv4.ip_forward = 1

만약 설정 되어 있지 않다면 sysctl.conf 파일을 수정후 적용합니다. 

[root@kvm-server01 ~]# vi /etc/sysctl.conf
[root@kvm-server01 ~]# sysctl -p
net.ipv4.ip_forward = 1

 

  • bridge-utils 설치 확인 및 설치
[root@kvm-server01 ~]# rpm -aq |grep -i bridge-utils
bridge-utils-1.5-9.el7.x86_64

설치가 안되어 있으면 설치 
[root@kvm-server01 ~]# yum install bridge-utils -y

 

  • 설정 변경
[root@kvm-server01 ~]# cd /etc/sysconfig/network-scripts/
[root@kvm-server01 network-scripts]# cp ifcfg-em1 ifcfg-br0
[root@kvm-server01 network-scripts]# vi ifcfg-em1
# Generated by dracut initrd
DEVICE=em1
ONBOOT=yes
BRIDGE=br0

[root@kvm-server01 network-scripts]# vi ifcfg-br0
# Generated by dracut initrd
TYPE=Bridge
DEVICE=br0
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.10.10.10
NETMASK=255.255.255.0
GATEWAY=10.10.10.254

 

  • network 데몬 재시작 및 확인
[root@kvm-server01 ~]# systemctl restart network
[root@kvm-server01 ~]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.10  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::d6ae:52ff:fee7:acdd  prefixlen 64  scopeid 0x20<link>
        ether d4:ae:52:e7:ac:dd  txqueuelen 1000  (Ethernet)
        RX packets 924  bytes 54105 (52.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 85  bytes 9647 (9.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether d4:ae:52:e7:ac:dd  txqueuelen 1000  (Ethernet)
        RX packets 1071  bytes 81630 (79.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88  bytes 10225 (9.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:a3:ab:16  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@kvm-server01 ~]#

 

 

[CentOS7] Kerberos Test

본문서는 테스트용으로 작성중인 문서 이며 단순하게 참고 용도로만 부탁 드립니다.

Version 에 따라 안되는 점이 있기 때문에 꼭 동일한 버젼으로 설치 해야 합니다.

RHEL 7.0 / CentOS 7.0  에서 테스트 하였습니다.

상이한 버젼을 사용시 정상적으로 테스트가 안될수 있습니다.

system 구성시 instructor.example.com / system1.example.com 이 필요 합니다.

사전구성시 instructor.example.com 가 dns-server 로 구성 되어 있습니다.

참고사항: /etc/exports 에 *.example.com 으로 wildcard 지정시 dns 에서 역방향 설정을 해야 됩니다.

 

  • instructor.example.com 에서 작업
  • Kerberos 설치
[root@instructor ~]# yum install -y krb5-server krb5-workstation pam_krb5

 

  • /etc/krb5.conf 파일수정
  • 만약 example.com 가 아닌 다른 부분을 설정 한다면 example.com 을 다른 도메인으로 바꾸시고
  • kdc / admin_server 부분을 kerberos 도메인으로 설정 해야 합니다.
  • /var/kerberos/krb5kdc/kadm5.acl 파일 수정 필요
[root@instructor ~]# vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = instructor.example.com
  admin_server = instructor.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 

  • kadm5.acl 파일
# 별도의 도메인 사용시 example.com 이 아닌 test.com 등으로 설정 하시면 됩니다.
[root@instructor ~]# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM     *

 

  • Kerberos database maintenance utility 을 이용하여  KDC database master key 를 등록 합니다.
[root@instructor ~]# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@instructor ~]#

 

  • kdb5_util 실행시 정지 현상
[root@instructor ~]# kdb5_util create -s -r EXAMPLE.COM
Loading random data


~ 중략 
정상적으로 실행이 안되고 넘어가지 않습니다. 

패키지 설치
[root@instructor ~]# yum install rng-tools
[root@instructor ~]# rngd -r /dev/urandom


nrgd 작업후 다시 실행시 정상적으로 실행이 됩니다.

[root@instructor ~]# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@instructor ~]#

 

  • krb5kdc / kadmin 데몬 실행 및 활성화
[root@instructor ~]# systemctl start krb5kdc kadmin
[root@instructor ~]# systemctl enable krb5kdc kadmin

 

  • test 유저 생성 및 password 설정(Kerberos 와는 다른 패스워드를 설정합니다.)
[root@instructor ~]# useradd test
[root@instructor ~]# passwd test

 

  • root/admin 패스워드 설정
  • ssh test 를 진행 하기 위하여 일반유저를 생성 합니다.
  • test 유저의 암호를 등록 합니다.
[root@instructor ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local:  addprinc test
WARNING: no policy specified for test@EXAMPLE.COM; defaulting to no policy
Enter password for principal "test@EXAMPLE.COM":
Re-enter password for principal "test@EXAMPLE.COM":
Principal "test@EXAMPLE.COM" created.
kadmin.local:  quit
[root@instructor ~]#

 

  • keytab 파일을 생성 합니다.
[root@instructor krb5kdc]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc -randkey host/instructor.example.com
WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/instructor.example.com@EXAMPLE.COM" created.
kadmin.local:  ktadd host/instructor.example.com
Entry for principal host/instructor.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  quit
[root@instructor krb5kdc]#

 

  • local Test 를 진행 합니다.
  • 로그인시 kerberos 인증후 ssh 에 패스워드 없이 접속 할수 있습니다.
[root@instructor ~]# su - test
[test@instructor ~]$ kinit
Password for test@EXAMPLE.COM:
[test@instructor ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: test@EXAMPLE.COM

Valid starting       Expires              Service principal
02/16/2019 13:15:31  02/17/2019 13:15:31  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/16/2019 13:15:31
[test@instructor ~]$ ssh instructor.example.com
The authenticity of host 'instructor.example.com (192.168.0.100)' can't be established.
ECDSA key fingerprint is 5b:4e:c4:0b:af:2b:70:50:84:5e:d8:ca:99:23:99:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'instructor.example.com,192.168.0.100' (ECDSA) to the list of known hosts.
Last login: Sat Feb 16 13:15:27 2019
[test@instructor ~]$

 

  • 아래 테스트는 별도의 시스템 에서 테스트 합니다.
  • ssh client test 진행
[root@rhel70-temp ~]# useradd test
[root@rhel70-temp ~]# passwd test

[root@rhel70-temp ~]# yum install -y krb5-workstation pam_krb5
[root@rhel70-temp ~]# authconfig  --enablekrb5 --update
[root@rhel70-temp ~]# scp root@instructor.example.com:/etc/krb5.conf /etc/krb5.conf

 

  • test 유저로 전환후 kinit 을 실행 하여 kerberos 인증을 합니다.
  • klist 시 정상적으로 값을 확인할수 있어야 합니다.
  • ssh  접속 테스트를 진행 합니다.
[root@rhel70-temp ~]# su - test
[test@rhel70-temp ~]$ kinit
Password for test@EXAMPLE.COM:
[test@rhel70-temp ~]$ klist
Ticket cache: KEYRING:persistent:1001:1001
Default principal: test@EXAMPLE.COM

Valid starting       Expires              Service principal
02/16/2019 13:20:21  02/17/2019 13:20:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/16/2019 13:20:21
[test@rhel70-temp ~]$ ssh instructor.example.com
The authenticity of host 'instructor.example.com (192.168.0.100)' can't be established.
ECDSA key fingerprint is 5b:4e:c4:0b:af:2b:70:50:84:5e:d8:ca:99:23:99:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'instructor.example.com,192.168.0.100' (ECDSA) to the list of known hosts.
Last login: Sat Feb 16 13:15:50 2019 from 192.168.0.100
[test@instructor ~]$

 

  • NFS kerberos 설정

 

  • /etc/exports 에 wildcard 설정시 dns 역방향 설정이 필요 합니다.
  • instructor.example.com 시스템에서 nfs 사용시 설정 하는 내용 입니다.
  • Command
# kadmin

addprinc -randkey host/instructor.example.com
addprinc -randkey host/system1.example.com
addprinc -randkey nfs/instructor.example.com
addprinc -randkey nfs/system1.example.com
addprinc -randkey nfs/instructor

ktadd nfs/instructor.example.com
ktadd host/instructor.example.com
ktadd nfs/instructor

ktadd -k /root/system1.keytab host/system1.example.com
ktadd -k /root/system1.keytab nfs/system1.example.com

 

  • 작업 참고용 Command 로그
  • 일부 설정 중복 으로 인하여 already exists 메시지를 확인 할수 있습니다.
[root@instructor ~]# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin:  addprinc -randkey host/instructor.example.com
WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "host/instructor.example.com@EXAMPLE.COM".
kadmin:  kadmin: addprinc -randkey host/system1.example.com
kadmin: Unknown request "kadmin:".  Type "?" for a request list.
kadmin:  [root@instructor ~]#
[root@instructor ~]#
[root@instructor ~]#
[root@instructor ~]# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin:  addprinc -randkey host/instructor.example.com
WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "host/instructor.example.com@EXAMPLE.COM".
kadmin:  addprinc -randkey host/system1.example.com
WARNING: no policy specified for host/system1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/system1.example.com@EXAMPLE.COM" created.
kadmin:  addprinc -randkey nfs/instructor.example.com
WARNING: no policy specified for nfs/instructor.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/instructor.example.com@EXAMPLE.COM" created.
kadmin:  addprinc -randkey nfs/system1.example.com
WARNING: no policy specified for nfs/system1.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/system1.example.com@EXAMPLE.COM" created.
kadmin:  addprinc -randkey nfs/instructor
WARNING: no policy specified for nfs/instructor@EXAMPLE.COM; defaulting to no policy
Principal "nfs/instructor@EXAMPLE.COM" created.
kadmin:  ktadd nfs/instructor.example.com
Entry for principal nfs/instructor.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor.example.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  ktadd host/instructor.example.com
Entry for principal host/instructor.example.com with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/instructor.example.com with kvno 3, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  ktadd nfs/instructor
Entry for principal nfs/instructor with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal nfs/instructor with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin:  ktadd -k /root/client.keytab host/system1.example.com
Entry for principal host/system1.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/client.keytab.
Entry for principal host/system1.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/client.keytab.
kadmin:  ktadd -k /root/client.keytab nfs/system1.example.com
Entry for principal nfs/system1.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/client.keytab.
Entry for principal nfs/system1.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/client.keytab.
kadmin:

 

  • 설정확인
kadmin:  listprincs
K/M@EXAMPLE.COM
host/instructor.example.com@EXAMPLE.COM
host/system1.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
nfs/instructor.example.com@EXAMPLE.COM
nfs/instructor@EXAMPLE.COM
nfs/system1.example.com@EXAMPLE.COM
root/admin@EXAMPLE.COM
test@EXAMPLE.COM
kadmin:  quit
[root@instructor ~]#

 

  • nfs 공유 디렉토리 생성
  • test 시 *.example.com 으로 대역을 주면 설정이 안됩니다.
[root@instructor ~]# mkdir /{public,protected}
[root@instructor ~]# vi /etc/exports
/public         192.168.0.*(rw,sync)
/protected      192.168.0.*(rw,sec=krb5p)

 

  • dns 역방향 설정후 아래와 같이 설정 해도 됩니다.
nslookup 으로 ip 로 도메인을 확인 할수 있어야 합니다. 
[root@instructor ~]# nslookup
> system1.example.com
Server:         192.168.0.100
Address:        192.168.0.100#53

Name:   system1.example.com
Address: 192.168.0.20
> 192.168.0.20
Server:         192.168.0.100
Address:        192.168.0.100#53

20.0.168.192.in-addr.arpa       name = system1.example.com.
>

[root@instructor ~]# cat /etc/exports
/public         *.example.com(rw,sync)
/protected      *.example.com(rw,sec=krb5p)
[root@instructor ~]#

 

  • /etc/sysconfig/nfs 설정 변경
[root@instructor ~]# vi /etc/sysconfig/nfs

RPCNFSDARGS="-V 4.2"

 

  • nfs-server , nfs-secure-server 실행 및 활성화
[root@instructor ~]# authconfig  --enablekrb5 --update
[root@instructor ~]# systemctl start nfs-secure-server nfs-server
[root@instructor ~]# systemctl enable nfs-secure-server nfs-server

 

  • nfs client 설정을 진행 합니다.
  • nfs-secure 사용을 위하여 패키지를 설치 합니다.
[root@system1 ~]# yum install -y nfs-utils

 

  • krb5.conf / krb5.keytab 파일 복사
  • nfs-secure 데몬 실행
[root@system1 ~]# scp root@instructor.example.com:/etc/krb5.conf /etc/krb5.conf
[root@system1 ~]# scp root@instructor.example.com:/root/system1.keytab /etc/krb5.keytab

[root@system1 ~]# systemctl enable nfs-secure
[root@system1 ~]# systemctl start nfs-secure

 

  • mount test 를 진행 합니다.
[root@system1 ~]# mount -t nfs -o sec=krb5p instructor.example.com:/protected /mnt
[root@system1 ~]# df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/sda3                          9.8G  818M  9.0G   9% /
devtmpfs                           989M     0  989M   0% /dev
tmpfs                              994M     0  994M   0% /dev/shm
tmpfs                              994M  8.5M  986M   1% /run
tmpfs                              994M     0  994M   0% /sys/fs/cgroup
/dev/sda1                          997M   97M  901M  10% /boot
instructor.example.com:/protected  8.1G  3.3G  4.8G  41% /mnt
[root@system1 ~]#

 

  • dns 역방향 설정후 nfs wildcard 테스트
  • No such file or directory 오류메시지의 경우 역방향 설치전 임시 마운트 테스트 부분 입니다.
[root@system1 ~]# mount -t nfs -o sec=krb5p,vers=4.2 instructor.example.com:/protected /mnt
mount.nfs: mounting instructor.example.com:/protected failed, reason given by server: No such file or directory
[root@system1 ~]# mount -t nfs -o sec=krb5p,vers=4.2 instructor.example.com:/protected /mnt
[root@system1 ~]# df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/sda3                          9.0G  821M  8.2G   9% /
devtmpfs                           989M     0  989M   0% /dev
tmpfs                              994M     0  994M   0% /dev/shm
tmpfs                              994M  8.5M  986M   1% /run
tmpfs                              994M     0  994M   0% /sys/fs/cgroup
/dev/sda1                          509M   90M  419M  18% /boot
instructor.example.com:/protected  9.0G  4.5G  4.6G  50% /mnt
[root@system1 ~]#

 

  • 만약 mount 가 되지 않을 경우 ketab 을 등록 합니다.
  • krb5-workstation / pam_krb5 를 설치 합니다.
[root@system1 ~]# yum install -y krb5-workstation pam_krb5
[root@system1 ~]# kinit -k -t /etc/krb5.keytab nfs/system1.example.com
[root@system1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: nfs/system1.example.com@EXAMPLE.COM

Valid starting       Expires              Service principal
02/16/2019 14:10:25  02/17/2019 14:10:25  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/16/2019 14:10:25
[root@system1 ~]#

 

  • mount 테스트
[root@system1 ~]# mount -t nfs -o sec=krb5p instructor.example.com:/protected /mnt

[root@system1 ~]# df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/sda3                          9.8G  841M  9.0G   9% /
devtmpfs                           989M     0  989M   0% /dev
tmpfs                              994M     0  994M   0% /dev/shm
tmpfs                              994M  8.5M  986M   1% /run
tmpfs                              994M     0  994M   0% /sys/fs/cgroup
/dev/sda1                          997M   97M  901M  10% /boot
instructor.example.com:/protected  8.1G  3.3G  4.8G  41% /mnt
[root@system1 ~]#

 

  • /etc/fstab 을 수정 합니다.
  • 일반 디렉토리와 kerberos 인증 디렉토리 마운트 를 합니다.
[root@system1 ~]# mkdir /mnt/{public,protected}

[root@system1 ~]# vi /etc/fstab

instructor.example.com:/protected         /mnt/protected          nfs     defaults,sec=krb5p,v4.2    0 0
instructor.example.com:/public            /mnt/public             nfs     defaults      0 0

 

  • 마운트 및 마운트 확인
[root@system1 ~]# mount -a
[root@system1 ~]# df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/sda3                          9.0G  821M  8.2G   9% /
devtmpfs                           989M     0  989M   0% /dev
tmpfs                              994M     0  994M   0% /dev/shm
tmpfs                              994M  8.5M  986M   1% /run
tmpfs                              994M     0  994M   0% /sys/fs/cgroup
/dev/sda1                          509M   90M  419M  18% /boot
instructor.example.com:/protected  9.0G  4.5G  4.6G  50% /mnt/protected
instructor.example.com:/public     9.0G  4.5G  4.6G  50% /mnt/public
[root@system1 ~]#

 

  • system rebooting 및 확인
[root@system1 ~]# init 6


# 시스템 리부팅후 확인
login as: root
root@192.168.0.20's password:
Last login: Wed Feb 27 00:21:13 2019 from 192.168.0.1
[root@system1 ~]# df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/sda3                          9.0G  820M  8.2G   9% /
devtmpfs                           989M     0  989M   0% /dev
tmpfs                              994M     0  994M   0% /dev/shm
tmpfs                              994M  8.6M  986M   1% /run
tmpfs                              994M     0  994M   0% /sys/fs/cgroup
/dev/sda1                          509M   90M  419M  18% /boot
instructor.example.com:/protected  9.0G  4.5G  4.6G  50% /mnt/protected
instructor.example.com:/public     9.0G  4.5G  4.6G  50% /mnt/public
[root@system1 ~]#