Copyright (C) 2010 Konstantin Nadezhdin <w.homenki.ru>.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
Free Documentation License".
GNU Free Documentation License
Прежде всего, необходимо установить пакеты: yast2-nfs-server, yast2-kerberos-server и yast2-ldap-server
Запустить: yast nfs_server
YaST2 - nfs_server @ store NFS Server Configuration +NFS Server--------------------------------------+ |(x) Start | |( ) Do Not Start | +------------------------------------------------+ +Firewall----------------------------------------+ |[x] Open Port in Firewall [Firewall Details...]| |Firewall port is open on selected interfaces | +------------------------------------------------+ +Enable NFSv4------------------------------------+ |[x] Enable NFSv4 | |Enter NFSv4 domain name: | |home.lan________________________________________| +------------------------------------------------+ [x] Enable GSS Security [Help] [Back] [Cancel] [Next] F1 Help F9 Cancel F10 Next
YaST2 - nfs_server @ store Directories to Export +----------------------------------------------------------------------------+ |Directories |Bindmount Targets | |/home/store | | | | | | | | +----------------------------------------------------------------------------+ [Add Directory][Edit][Delete] +----------------------------------------------------------------------------+ |Host Wild Card|Options | |192.168.0.0/24|fsid=0,crossmnt,rw,root_squash,sync,no_subtree_check,sec=krb5| | | | | +----------------------------------------------------------------------------+ [Add Host][Edit][Delete] [ Help ] [ Back ] [Cancel] [Finish] F1 Help F3 Add Directory F4 Edit F5 Delete F8 Back F9 Cancel F10 Finish
Изменить конфиг: /var/lib/kerberos/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 [realms] HOME.LAN = { database_name = /var/lib/kerberos/krb5kdc/principal admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl dict_file = /var/lib/kerberos/krb5kdc/kadm5.dict key_stash_file = /var/lib/kerberos/krb5kdc/.k5.HOME.LAN kdc_ports = 750,88 default_principal_flags = +postdateable +forwardable +renewable +proxiable +dup-skey -preauth -hwauth +service +tgt-based +allow-tickets -pwchange -pwservice } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log
Изменить конфиг: /etc/krb5.conf
[libdefaults] default_realm = HOME.LAN clockskew = 300 [realms] HOME.LAN = { kdc = store.home.lan admin_server = store.home.lan default_domain = home.lan } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .home.lan = HOME.LAN [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 clockskew = 300 external = sshd use_shmem = sshd }
Создать базу: kdb5_util create -r HOME.LAN -s
Изменить конфиг: /var/lib/kerberos/krb5kdc/kadm5.acl
############################################################################### #Kerberos_principal permissions [target_principal] [restrictions] ############################################################################### # */admin@HOME.LAN * */*@HOME.LAN i
Запустить: yast kerberos-server
YaST2 - kerberos-server @ store Kerberos Server Configuration ( ) Disable Kerberos (x) Enable Kerberos +---------------------------------------------------------------------------+ |Configuration of the Kerberos Server | | | |Database Backend:file | |Database Name:/var/lib/kerberos/krb5kdc/principal | |Realm: HOME.LAN | |KDC Ports:750,88 | +---------------------------------------------------------------------------+ [Edit] +Firewall Settings----------------------------------------------------------+ |[x] Open Port in Firewall [Firewall Details...] | |Firewall port is open on selected interfaces | +---------------------------------------------------------------------------+ [ Help ] [ Back ] [Abort] [Finish] F1 Help F4 Edit F8 Back F9 Abort F10 Finish
Разрешить и нажать F10.
Проверить статус служб rckrb5kdc и rckadmind
Посмотреть логи: /var/log/krb5/*.log
Запустить: yast ldap-server
YaST2 - ldap-server @ store +Configuration:------------+ LDAP Server Configuration |---Startup Configuration | +Start LDAP Server-----------------------------+ |-+-Global Settings | |( ) No | |---Schema Files | |(x) Yes | |-+-Databases | |[ ] Register at an SLP Daemon | | | +----------------------------------------------+ | | | | +Protocol Listeners----------------------------+ | | |[x] LDAP | | | |[ ] LDAP over SSL (ldaps) | | | |[x] LDAP over IPC (ldapi) | | | +----------------------------------------------+ | | | | +Firewall Settings-----------------------------+ | | |[x] Open Port in Firewall[Firewall Details...]| | | |Firewall port is open on selected interfaces | +--------------------------+ +----------------------------------------------+ [Help] [Cancel] [ OK ] F1 Help F9 Cancel F10 OK
Запустить: yast ldap
YaST2 - ldap @ store LDAP Client Configuration +User Authentication-----------------------------------------------------+ | ( ) Do Not Use LDAP | | (x) Use LDAP | | ( ) Use LDAP but Disable Logins | +------------------------------------------------------------------------+ +LDAP Client-------------------------------------------------------------+ | Addresses of LDAP Servers [Find] | | 127.0.0.1_______________________________________________________ | | LDAP Base DN [Fetch DN] | | dc=home,dc=lan______________________________________________ | | [ ] LDAP TLS/SSL | | [ ] LDAP Version 2 | +------------------------------------------------------------------------+ [ ] Start Automounter [x] Create Home Directory on Login [Advanced Configuration...] [ Help ] [Cancel] [ OK ] F1 Help F8 Cancel F10 OK
Далее: [Advanced Configuration...]
YaST2 - ldap @ store Advanced Configuration +Client Settings--Administration Settings-----------------------------------+ | +Naming Contexts------------------------------------------------+ | | | User Map [Browse] | | | | ou=people,dc=home,dc=lan_____________________________ | | | | Password Map [Browse] | | | | ou=people,dc=home,dc=lan_____________________________ | | | | Group Map [Browse] | | | | ou=group,dc=home,dc=lan______________________________ | | | +---------------------------------------------------------------+ | | | | Password Change Protocol | | exop____________________________________________________________? | | | | Group Member Attribute | | member__________________________________________________________? | | | +---------------------------------------------------------------------------+ [ Help ] [Cancel] [ OK ] F1 Help F8 Cancel F10 OK
Далее: Administration Settings
YaST2 - ldap @ store Advanced Configuration +Client Settings--Administration Settings-----------------------------------+ | Configuration Base DN [Browse] | | ou=ldapconfig,dc=home,dc=lan_____________________________ | | Administrator DN [x] Append Base DN | | cn=Administrator,dc=home,dc=lan________________ | | [x] Create Default Configuration Objects | | [ ] Home Directories on This Machine | | | | [Configure User Management Settings...] | | | | +---------------------------------------------------------------+ | | |Password Policy | | | | | | | | | | | +---------------------------------------------------------------+ | | [Add][Edit][Delete] | +---------------------------------------------------------------------------+ [ Help ] [Cancel] [ OK ] F1 Help F3 Add F4 Edit F5 Delete F6 Browse F8 Cancel F10 OK
Установить pam_ccreds.
Включить авторизацию пользователей через Kerberos, включить LDAP клиент.
Добавить строку монтирования nfs шары, в auto.master: /mnt /etc/auto.misc
в /etc/auto.misc: store -fstype=nfs4,defaults,sec=krb5,rw store.home.lan:/
Выполнить: pam-config -a --ccreds
Изменить /etc/pam.d/common-account:
... account sufficient pam_krb5.so ... ... account [default=done] pam_permit.so
Баги: при потере связи с сервером во время работы пользователь очень долго завершает сессию и теряет запись в кэше!!!