AD 作为 NFS KDC
Windows 配置
Now we need to create a "machine" credential for the Linux NFS client. Currently, Linux 2.6 requires a credential of form:
nfs/hostname@REALM-NAME
You must create a principal as type User. Do NOT create the principal as type Computer. Microsoft's Kerberos Interoperability document says:
Use the Active Directory Management tool to create a new user account for the UNIX host:
* Select the Users folder, right-click and select New, then choose user.
* Type the name of the UNIX host.
We are ultimately going to create a principal of form nfs/hostname@REALM. Above describes host/hostname@REALM.
我们将这个用户起名为 nfsH3CStor (此处用户名随意,我们使用 servicenameHostname 命名)。
The next step requires opening a Command Prompt window on the Windows 2000 server, and mapping nfsScully to its real machine principal,
nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG
The command to do is ktpass, and it is invoked as:
ktpass -princ nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG -mapuser TANGO\nfsH3CStor +rndPass -out h3cnfs.keytab
想办法把这个文件拷贝到 Linux 机器上, kinit 需要用这个文件。别忘了需要用管理员权限执行,否则报很奇怪的错误。如果想不出来办法,可以用 PuTTY PSCP 拷贝。
Linux 方面
首先,导入这个 keytab 文件,可以直接拷这个 keytab 到 /etc/krb5.keytab (注意 permission)。
Alternate:
[L:h3cstor] ~# ktutil ktutil: read_kt /root/h3cnfs.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG ktutil: read_kt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG 2 1 Alex@TANGO.OSQDU.ORG 3 1 Alex@TANGO.OSQDU.ORG ktutil: write_kt /etc/krb5.keytab ktutil: q
验证:
[L:h3cstor] ~# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 Alex@TANGO.OSQDU.ORG 1 Alex@TANGO.OSQDU.ORG 3 nfs/h3cstor.tango.osqdu.org@TANGO.OSQDU.ORG 1 Alex@TANGO.OSQDU.ORG 1 Alex@TANGO.OSQDU.ORG
/etc/exports 配置等:
参考 Debian 官方 Wiki NFS/Kerberose