Centos8 builds nfs based on kdc encryption

Configuration

1. Kerberos provides a centralized authentication server structure, the authentication server's function is to achieve mutual authentication between users and the servers they access. (Symmetric key encryption technology is used)

2. Kerberos single sign-on principle diagram

3. Service environment

2. Turn off the firewall and download the krb5 software package (main server (www.skills.com)), and add the host name corresponding to the IP in /etc/hosts . (All three nodes need it)

5. Edit the main configuration file (vim /etc/krb5.conf) and change all EXAMPLE.COM in it to your own domain name.

6. Modify /var/kerberos/krb5kdc/kadm5.acl and change EXAMPLE.COM to your own domain name.

[root@www ~]# vim /var/kerberos/krb5kdc/kadm5.acl

7. Initialize the KDC database and enter the database password

[root@www ~]# kdb5_util create -s

8. Restart the service

[root@www ~]# systemctl restart krb5kdc kadmin
[root@www ~]# systemctl enable krb5kdc kadmin

9. Log in to the Kerberos Server service root and log in to kadmin.local without password, create and add a Kerberos user, randomly generate a value as the key of the three-node, and download the key of the main server.

kadmin.local: addprinc root/admin
kadmin.local: addprinc -randkey nfs/www.skills.com
kadmin.local: addprinc -randkey nfs/nfs.skills.com
kadmin.local: addprinc -randkey nfs/client.skills.com
kadmin.local: ktadd nfs/www.skills.com 

You can use listprincs to view the created key

The configuration of the master server is now complete.

nfs server (nfs.skills.com)

1. Download the nfs and kdc installation packages

yum -y install krb5-workstation nfs-utils

2. Edit the main configuration file (vim /etc/krb5.conf) and change all EXAMPLE.COM in it to your own domain name.

3. Log in to the kdc database with the password and download the key (kadmin)

kadmin
ktadd nfs/nfs.skills.com 

4. Create an nfs mount file that requires krb5p encrypted access

mkdir /share 
vim /etc/exports
exportfs -rv

Configuration file content (sec is what encryption method).

5. Restart the service

systemctl restart nfs-server

This completes the configuration.

nfs client (client.skills.com)

1. Because the KDC configuration content of the client and the NFS master server is the same, we can use scp to transfer the configuration file, but we cannot use scp to transfer the configuration file of the master server. Our client does not contain the KDC database, and using the configuration file of the master server will result in an error that the database cannot be found.

2. Download the nfs and kdc installation packages

yum -y install krb5-workstation nfs-utils

3..Log in to the kdc database with password and download key (kadmin)

kadmin
ktadd nfs/client.skills.com 

4. Restart the service, create a folder, mount the share, and finally check it with df.

systemctl restart nfs-server 
mkdir /myshare 
mount 192.168.10.223:/share /share 
df -l 

The kdc-encrypted nfs mount was successful.

This is the end of this article about building kdc-encrypted nfs on Centos8. For more related content about Centos encrypted nfs based on kdc, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!