【LINUX】在redhat6系統中 當NFS啟動後 rpc.svcgssd 狀態還是STOP

xysoul_雲龍發表於2017-06-28
LinuxRedhatNFSRPC


問題描述:在redhat6系統中 當NFS啟動後 rpc.svcgssd 狀態還是STOP


點選(此處)摺疊或開啟

  1. [root@mytest Packages]# cat /etc/redhat-release
  2. Red Hat Enterprise Linux Server release 6.7 (Santiago)
  3. [root@mytest Packages]# service rpcbind status
  4. rpcbind (pid 4744) is running...
  5. [root@mytest Packages]# service nfs status
  6. rpc.svcgssd is stopped    -- 問題所在
  7. rpc.mountd (pid 5733) is running...
  8. nfsd (pid 5749 5748 5747 5746 5745 5744 5743 5742) is running...
  9. rpc.rquotad (pid 5728) is running...

描述:如果NFS 配置為Kerberos 自動共享模式,該服務才會有用或者啟動
原文如下:

點選(此處)摺疊或開啟

  1. This is an expected behaviour. rpc.svcgssd and rpc.gssd daemons only needs to be enabled if NFS is configured to to export shares via Kerberos authentication

NFS 預設是不配置Kerberos 共享 的


點選(此處)摺疊或開啟

  1. NFS service by default is not configured to export shares via Kerberos

Kerberos協議:(此處解釋轉載自)

Kerberos協議主要用於計算機網路的身份鑑別(Authentication), 其特點是使用者只需輸入一次身份驗證資訊就可以憑藉此驗證獲得的票據(ticket-granting ticket)訪問多個服務,即SSO(Single Sign On)。由於在每個Client和Service之間建立了共享金鑰,使得該協議具有相當的安全性。

環境要求:
原文如下,主要是說確保所有的clients與servers之間的時間同步以及DNS正確解析。主機可以透過一個CNAME引用,但主機名必須是一個“A”的記錄。按照慣例,Kerberos域都是大寫

點選(此處)摺疊或開啟

  1. Important points :

  3. Time Synchronization: All machines that will participate in Kerberos authentication must have a reliable, synchronized time source. Most large organization offer their own time sources. You can use the RHEL configuration tool system-config-time to set this up. So, time of both the server and clients will be same.
  4. Hostnames : All hosts must have their hostname set to the fully qualified hostname as reported by DNS. Both forward and reverse mapping must work properly.
  5. The host may be referenced by a CNAME, but the official host name (as reported by hostname) must be an ‘A’ record. This is important; if you don’t have this setup properly then some things will work, while other things will fail mysteriously. If the host name does not match the reverse DNS lookup, Kerberos authentication will fail.
  6. You need to choose a kerberos realm. A kerberos realm is completely different from a DNS domain, but in most cases you will want to use the same name. By convention, kerberos realms are all upper case. The kerberos realm used in this article will be "EXAMPLE.COM".
安裝包需求:

點選(此處)摺疊或開啟

  1. On client machine, make it sure that following packages are installed :

  3. krb5-libs
  4. krb5-workstation
  5. pam_krb5
  6. cyrus-sasl-gssapi
  7. On server machine, make it sure that following package is installed :

  9. krb5-server

到此為止,具體怎麼配置,可以參考上述中Kerberos協議:(此處解釋轉載自)地址,官方文件請參考文博目錄



來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/29487349/viewspace-2141327/,如需轉載,請註明出處,否則將追究法律責任。

相關文章