環(huán)境

• Red Hat Enterprise Linux 6 and below
• NFS protocol versions 3 and 4

問題

• How to configure NFSv4 with kerberos authentication in Red Hat Enterprise Linux 5?
• GIDs of users in more than 16 groups are not recognized properly on NFS in RHEL

決議

To allow NFS manipulate properly the file permissions of users that participate in more than 16 Groups, RPCSEC_GSS and Kerberos need to be used instead the default authentication method (AUTH_SYS). To configure Kerberos and NFSv4, the following article could be used :

成都創(chuàng)新互聯(lián)-成都網(wǎng)站建設(shè)公司，專注網(wǎng)站建設(shè)、成都網(wǎng)站建設(shè)、網(wǎng)站營銷推廣，空間域名，虛擬主機(jī)，成都網(wǎng)站托管有關(guān)企業(yè)網(wǎng)站制作方案、改版、費(fèi)用等問題，請(qǐng)聯(lián)系成都創(chuàng)新互聯(lián)。

Environment used in this procedure :

• Red Hat Enterprise Linux 5.5 x86_64 server as NFSv4 server and KDC - hostname server.example.com
• Red Hat Enterprise Linux 4 x86_64 as NFS client - hostname client.example.com

Important points :

• Time Synchronization:  All machines that will participate in Kerberos authentication must have a reliable, synchronized time source. Most large organization offer their own time sources. You can use the RHEL configuration tool system-config-time to set this up. So, time of both the server and clients will be same.
• Hostnames : All hosts must have their hostname set to the fully qualified hostname as reported by DNS. Both forward and reverse mapping must work properly.
• The host may be referenced by a CNAME, but the official host name (as reported by hostname) must be an ‘A’ record. This is important; if you don’t have this setup properly then some things will work, while other things will fail mysteriously. If the host name does not match the reverse DNS lookup, Kerberos authentication will fail.
• You need to choose a kerberos realm. A kerberos realm is completely different from a DNS domain, but in most cases you will want to use the same name. By convention, kerberos realms are all upper case. The kerberos realm used in this article will be "EXAMPLE.COM".

Packages needed :

On client machine, make it sure that following packages are installed :

• krb5-libs
• krb5-workstation
• pam_krb5
• cyrus-sasl-gssapi

On server machine, make it sure that following package is installed :

• krb5-server

1. Configuring Kerberos service on the Server :

   1.1 There are a number of files that have to be manually edited on the server :

   Edit /etc/krb5.conf

   The stock version of this file will have EXAMPLE.COM or example.com everywhere you want to put your own realm or domain name. The two sections in question are libdefaults and domain_realm. The other sections do not need to be changed. In libdefaults, enter your own Kerberos realm name. You may want to set the clock skew to a lower value (provided you are synchronizing time with ntp). The file will look like :

   Raw

   當(dāng)前標(biāo)題：【LINUX】怎樣配置NFSv4withkerberos自動(dòng)認(rèn)證-創(chuàng)新互聯(lián)
   網(wǎng)頁地址：http://chinadenli.net/article30/ehiso.html

   成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供自適應(yīng)網(wǎng)站、靜態(tài)網(wǎng)站、網(wǎng)站制作、定制開發(fā)、網(wǎng)頁設(shè)計(jì)公司、響應(yīng)式網(wǎng)站

   廣告

   聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源： 創(chuàng)新互聯(lián)