第 54 章 Network Authentication
上一頁 部分 IV. Network Application 下一頁
Home | Mirror | Search

第 54 章 Network Authentication

目錄

1. Network Information Service (NIS)
1.1. 安裝NIS伺服器
1.2. Slave NIS Server
1.3. 客戶機軟件安裝
1.4. Authentication Configuration
1.5. application example
1.6. Mount /home volume from NFS
2. OpenLDAP
2.1. Server
2.2. Client
2.3. User and Group Management
3. Kerberos
3.1. Kerberos 安裝
3.1.1. CentOS 安裝
3.1.2. Install by apt-get
3.2. Kerberos Server
3.3. Kerberos Client
3.4. Kerberos Management
3.4.1. ktutil - Kerberos keytab file maintenance utility
3.4.2. klist - list cached Kerberos tickets
3.5. OpenSSH Authentications
3.5.1. Configuring the Application server system
3.5.2. Configuring the Application client system
4. FreeRADIUS (Remote Authentication Dial In User Service)
4.1. ldap
4.2. mysql
4.3. WAP2 Enterprise
5. SASL (Simple Authentication and Security Layer)
6. GSSAPI (Generic Security Services Application Program Interface)

1. Network Information Service (NIS)

1.1. 安裝NIS伺服器

過程 54.1. 安裝NIS伺服器

  1. ypserv

    				
					# yum install ypserv -y

  2. /etc/hosts

    				
[root@nis ~]# hostname nis.example.com				
[root@nis ~]# echo "192.168.3.5 nis.example.com" >> /etc/hosts
[root@nis ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 datacenter.example.com datacenter localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.0.1 kerberos.example.com
192.168.3.5 nis.example.com

  3. 設置NIS域名

    				
# nisdomainname example.com
# nisdomainname
example.com

    加入 /etc/rc.local 開機腳本

    				
# echo '/bin/nisdomainname example.com' >> /etc/rc.local
# echo 'NISDOMAIN=example.com' >> /etc/sysconfig/network

  4. 設置/etc/ypserv.conf主配置檔案

    				
# vim /etc/ypserv.conf

127.0.0.0/255.255.255.0 : * : * : none
192.168.3.0/255.255.255.0 : * : * : none
* : * : * : deny

  5. 創建 /var/yp/securenets 檔案

    securenets 安全配置檔案

    				
# vim /var/yp/securenets
host 127.0.0.1
255.255.255.0 192.168.3.0

  6. 啟動NIS伺服器

    NIS伺服器需要portmap服務的支持,並且需要啟動ypserv和yppasswdd兩個服務

    				
[root@nis ~]# service portmap status
portmap (pid 2336)
is running...
[root@nis ~]# service ypserv start
Starting YP
server services: [ OK ]
[root@nis ~]# service yppasswdd start
Starting YP passwd service: [ OK ]

  7. 構建NIS資料庫

    32bit: /usr/lib/yp/ypinit -m

    64bit: /usr/lib64/yp/ypinit -m

    				
[root@nis ~]# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  nis.example.com is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  nis.example.com
        next host to add:
        next host to add:
The current list of NIS servers looks like this:

nis.example.com


Is this correct?  [y/n: y]
We need a few minutes to build the databases...
Building /var/yp/example.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/example.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/example.com'

nis.example.com has been set up as a NIS master server.

Now you can run ypinit -s nis.example.com on all slave server.

    檢查

    				
# ls /var/yp/
binding example.com Makefile nicknames securenets ypservers

  8. Service

    				
[root@datacenter ~]# chkconfig --list | grep yp
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yppasswdd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypserv          0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypxfrd          0:off   1:off   2:off   3:off   4:off   5:off   6:off

[root@nis ~]# chkconfig ypserv on
[root@nis ~]# chkconfig yppasswdd on

1.2. Slave NIS Server

Now you can run ypinit -s nis.example.com on all slave server. 

		
# ypinit -s nis.example.com

1.3. 客戶機軟件安裝

過程 54.2. 安裝NIS客戶端軟件

  1. NIS客戶機需要安裝ypbind和yp-tools兩個軟件包

    				
# yum install ypbind yp-tools -y

  2. NIS域名

    				
# nisdomainname example.com

  3. /etc/hosts

    				
192.168.3.5 nis.example.com

  4. /etc/yp.conf

    				
# vim /etc/yp.conf
domain example.com server nis.example.com

  5. /etc/nsswitch.conf

    				
# vim /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
hosts: files nis dns

  6. 啟動ypbind服務程序

    				
[root@test ~]# service portmap status
portmap is stopped
[root@test ~]# service portmap start
Starting portmap: [ OK ]
[root@test ~]# service ypbind start
Turning on allow_ypbind SELinux boolean
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server..

  7. yp-tools 測試工具

    yptest 命令可對NIS伺服器進行自動測試

    				
# yptest

    ypwhich 命令可顯示NIS客戶機所使用的NIS伺服器的主機名稱和資料庫檔案列表

    				
# ypwhich
# ypwhich -x

    ypcat命令顯示資料庫檔案列表和指定資料庫的內容

    				
# ypcat -x
# ypcat passwd

  8. NIS Client Service

    				
# chkconfig ypbind on

1.4. Authentication Configuration

		
# authconfig-tui

Use NIS

		
                ┌────────────────┤ Authentication Configuration ├─────────────────┐
                │                                                                 │
                │  User Information        Authentication                         │
                │  [ ] Cache Information   [*] Use MD5 Passwords                  │
                │  [ ] Use Hesiod          [*] Use Shadow Passwords               │
                │  [ ] Use LDAP            [ ] Use LDAP Authentication            │
                │  [*] Use NIS             [ ] Use Kerberos                       │
                │  [ ] Use Winbind         [ ] Use SMB Authentication             │
                │                          [ ] Use Winbind Authentication         │
                │                          [ ] Local authorization is sufficient  │
                │                                                                 │
                │            ┌────────┐                      ┌──────┐             │
                │            │ Cancel │                      │ Next │             │
                │            └────────┘                      └──────┘             │
                │                                                                 │
                │                                                                 │
                └─────────────────────────────────────────────────────────────────┘

NIS Settings

		
                        ┌─────────────────┤ NIS Settings ├─────────────────┐
                        │                                                  │
                        │ Domain: example.com_____________________________ │
                        │ Server: nis.example.com_________________________ │
                        │                                                  │
                        │         ┌──────┐                 ┌────┐          │
                        │         │ Back │                 │ Ok │          │
                        │         └──────┘                 └────┘          │
                        │                                                  │
                        │                                                  │
                        └──────────────────────────────────────────────────┘

1.5. application example

nis server:

在NIS伺服器上創建一個test用戶

		
# adduser test
# passwd test
# /usr/lib64/yp/ypinit -m

nis client

使用test用戶登錄到客戶機

		
ssh test@client.example.com

測試

		
[root@test ~]# yptest
Test 1: domainname
Configured domainname is "example.com"

Test 2: ypbind
Used NIS server:
nis.example.com

Test 3: yp_match
WARNING: No such key in map (Map
passwd.byname, key nobody)

Test 4: yp_first
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash

Test 5: yp_next
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash

Test 6: yp_master
nis.example.com

Test 7: yp_order
1271936660

Test 8: yp_maplist
rpc.byname
protocols.bynumber
ypservers
passwd.byname
hosts.byname
rpc.bynumber
group.bygid
services.byservicename
mail.aliases
passwd.byuid
services.byname
netid.byname
protocols.byname
group.byname
hosts.byaddr

Test 9: yp_all
neo
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
test
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot svnroot:!!:501:501::/home/svnroot:/bin/bash
1 tests failed

更改密碼

		
$ yppasswd
Changing NIS account information for test on nis.example.com.
Please enter old password:
Changing NIS password for test on
nis.example.com.
Please enter new password:
Please retype new password:

The NIS password has been changed on nis.example.com.		
		
		
		
-bash-3.2$ ypcat hosts 
127.0.0.1 localhost.localdomain localhost 
127.0.0.1 kerberos.example.com
192.168.3.5 nis.example.com

-bash-3.2$ ypcat passwd
neo:$1$e1nd3pts$s7NikMnKwpL4vUp2LM/N9.:500:500::/home/neo:/bin/bash
test:$1$g4.VCB7i$I/N5W/imakprFdtP02i8/.:502:502::/home/test:/bin/bash
svnroot:!!:501:501::/home/svnroot:/bin/bash
		
		
		
-bash-3.2$
ypwhich
nis.example.com

ypwhich -x
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"

1.6. Mount /home volume from NFS

在NIS伺服器中將“/home”輸出為NFS共享目錄

		
# vi /etc/exports
/home 192.168.3.0/24(sync,rw,no_root_squash)

重啟NFS服務

		
# service nfs restart

在NIS客戶端中掛載“/home”目錄

		
		# vi /etc/fstab
192.168.1.10:/home/ /home nfs 	defaults 0 0

mount home volume

		
# mount /home
comments powered by Disqus
上一頁 上一級 下一頁
7. Linux 起始頁 2. OpenLDAP