/exports gss/krb5p(rw,sync,fsid=0,no_subtree_check)
/exports/home gss/krb5p(rw,sync,nohide,no_subtree_check)
Tuesday 21 August 2012
configure NFSv4 server
You need to use the nohide option when using gss/krb5 to see anything that was mounted using bind
/exports gss/krb5p(rw,sync,fsid=0,no_subtree_check)
/exports/home gss/krb5p(rw,sync,nohide,no_subtree_check)
/exports gss/krb5p(rw,sync,fsid=0,no_subtree_check)
/exports/home gss/krb5p(rw,sync,nohide,no_subtree_check)
Thursday 16 August 2012
configure Kerberos to provide user authentication
Install kerberos server packages
[root@auth1 /]# yum install krb5-server
Add the following rules to iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 749 -j ACCEPT
Edit the kdc conf file
[root@auth1 /]# vim /var/kerberos/krb5kdc/kdc.conf
[root@auth1 /]# yum install krb5-server
Add the following rules to iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 749 -j ACCEPT
Edit the kdc conf file
[root@auth1 /]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
auth1.EXAMPLE.COM = {
#master_key_type = des3-hmac-sha1
default_priniciple_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
Initialise the database
[root@auth1 /]# kdb5_util create
Log in as kadmin.local and create the princs
[root@auth1 /]# kadmin.local
[root@auth1 /]# kdb5_util create
Log in as kadmin.local and create the princs
[root@auth1 /]# kadmin.local
Tuesday 14 August 2012
configure an NIS server to provide directory services
[root@ds1 ~]# yum install ypserv
[root@ds1 ~]# chkconfig portmap on
add the following to iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
add the following to /etc/sysconfig/network
YPSERV_ARGS="-p 841"
add the following to iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 808 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 808 -j ACCEPT
Set the NIS domain name
[root@auth1 ~]# nisdomainname NISDOMAINNAME
Start NIS
[root@auth1 ~]# service ypserv start
Initialise maps
[root@auth1 /]# /usr/lib/yp/ypinit -m
check access to maps
[root@client ~]# ypcat -d auth1.example.com -h auth1.example.com passwd
Lock down using securenets
[root@auth1 /]# vim /var/yp/securenets
SUBNETMASK NETWORKADDRESS
Subscribe to:
Posts (Atom)