CentOS 7でNISユーザ管理ができるようになりましたので、最後はhomeディレクトリを共有してどのNIS端末でログインしても同じhomeを利用できるように設定します。
CentOS 7 NISでユーザ管理 – NISサーバの設定
https://www.rootlinks.net/2016/03/23/centos-7-nisでユーザ管理-nisサーバの設定/
CentOS 7 NISでユーザ管理 – NISクライアントの設定
https://www.rootlinks.net/2016/03/24/centos-7-nisでユーザ管理-nisクライアントの設定/
CentOS 7 NISでユーザ管理 – ユーザ登録
https://www.rootlinks.net/2016/03/25/centos-7-nisでユーザ管理-ユーザ登録/
- NFSサーバのインストール
- /etc/idmapd.confの編集
- homeディレクトリ作成
- /etc/exportsの編集
- NFSサーバ自動起動設定
- NFSサーバ起動
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@host01 ~]# yum install nfs-utils (snip) Installed: nfs-utils.x86_64 1:1.3.0-0.21.el7_2 Dependency Installed: gssproxy.x86_64 0:0.4.1-7.el7 keyutils.x86_64 0:1.5.8-3.el7 libbasicobjects.x86_64 0:0.1.1-25.el7 libcollection.x86_64 0:0.6.2-25.el7 libevent.x86_64 0:2.0.21-4.el7 libini_config.x86_64 0:1.2.0-25.el7 libnfsidmap.x86_64 0:0.25-12.el7 libpath_utils.x86_64 0:0.2.1-25.el7 libref_array.x86_64 0:0.1.5-25.el7 libtalloc.x86_64 0:2.1.2-1.el7 libtevent.x86_64 0:0.9.25-1.el7 libverto-tevent.x86_64 0:0.2.5-4.el7 quota.x86_64 1:4.01-11.el7 quota-nls.noarch 1:4.01-11.el7 tcp_wrappers.x86_64 0:7.6-77.el7 Complete! |
/etc/idmapd.confのDomain=を自ドメインに変更します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
[root@host01 ~]# cat /etc/idmapd.conf [General] #Verbosity = 0 # The following should be set to the local NFSv4 domain name # The default is the host's DNS domain name. #Domain = local.domain.edu # The following is a comma-separated list of Kerberos realm # names that should be considered to be equivalent to the # local realm, such that <user>@REALM.A can be assumed to # be the same user as <user>@REALM.B # If not specified, the default local realm is the domain name, # which defaults to the host's DNS domain name, # translated to upper-case. # Note that if this value is specified, the local realm name # must be included in the list! #Local-Realms = [Mapping] #Nobody-User = nobody #Nobody-Group = nobody [Translation] # Translation Method is an comma-separated, ordered list of # translation methods that can be used. Distributed methods # include "nsswitch", "umich_ldap", and "static". Each method # is a dynamically loadable plugin library. # New methods may be defined and inserted in the list. # The default is "nsswitch". #Method = nsswitch # Optional. This is a comma-separated, ordered list of # translation methods to be used for translating GSS # authenticated names to ids. # If this option is omitted, the same methods as those # specified in "Method" are used. #GSS-Methods = <alternate method list for translating GSS names> #-------------------------------------------------------------------# # The following are used only for the "static" Translation Method. #-------------------------------------------------------------------# [Static] # A "static" list of GSS-Authenticated names to # local user name mappings #someuser@REALM = localuser #-------------------------------------------------------------------# # The following are used only for the "umich_ldap" Translation Method. #-------------------------------------------------------------------# [UMICH_SCHEMA] # server information (REQUIRED) LDAP_server = ldap-server.local.domain.edu # the default search base (REQUIRED) LDAP_base = dc=local,dc=domain,dc=edu #-----------------------------------------------------------# # The remaining options have defaults (as shown) # and are therefore not required. #-----------------------------------------------------------# # whether or not to perform canonicalization on the # name given as LDAP_server #LDAP_canonicalize_name = true # absolute search base for (people) accounts #LDAP_people_base = <LDAP_base> # absolute search base for groups #LDAP_group_base = <LDAP_base> # Set to true to enable SSL - anything else is not enabled #LDAP_use_ssl = false # You must specify a CA certificate location if you enable SSL #LDAP_ca_cert = /etc/ldapca.cert # Objectclass mapping information # Mapping for the person (account) object class #NFSv4_person_objectclass = NFSv4RemotePerson # Mapping for the nfsv4name attribute the person object #NFSv4_name_attr = NFSv4Name # Mapping for the UID number #NFSv4_uid_attr = UIDNumber # Mapping for the GSSAPI Principal name #GSS_principal_attr = GSSAuthName # Mapping for the account name attribute (usually uid) # The value for this attribute must match the value of # the group member attribute - NFSv4_member_attr #NFSv4_acctname_attr = uid # Mapping for the group object class #NFSv4_group_objectclass = NFSv4RemoteGroup # Mapping for the GID attribute #NFSv4_gid_attr = GIDNumber # Mapping for the Group NFSv4 name #NFSv4_group_attr = NFSv4Name # Mapping for the Group member attribute (usually memberUID) # The value of this attribute must match the value of NFSv4_acctname_attr #NFSv4_member_attr = memberUID |
1 2 3 |
[root@host01 ~]# vi /etc/idmapd.conf [root@host01 ~]# grep Domain /etc/idmapd.conf Domain = rootlinks.net |
/homeをそのまま共有すると管理で混乱したので別途/nishomeを共有することにしました。
1 2 3 4 |
[root@host01 ~]# mkdir /nishome [root@host01 ~]# ll -d /*home/ drwxr-xr-x. 3 root root 21 Aug 12 2015 /home/ drwxr-xr-x. 2 root root 6 Mar 25 14:56 /nishome/ |
/etc/exports共有フォルダの設定を行います。
1 2 3 4 |
[root@host01 ~]# cat /etc/exports [root@host01 ~]# vi /etc/exports [root@host01 ~]# cat /etc/exports /nishome 192.168.1.0/24(rw,no_root_squash) |
1 2 |
[root@host01 ~]# systemctl enable nfs-server Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service. |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@host01 ~]# systemctl start nfs-server [root@host01 ~]# systemctl status nfs-server * nfs-server.service - NFS server and services Loaded: loaded (/usr/lib/systemd/system/nfs-server.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2016-03-25 15:03:34 JST; 6s ago Process: 25227 ExecStart=/usr/sbin/rpc.nfsd $RPCNFSDARGS (code=exited, status=0/SUCCESS) Process: 25224 ExecStartPre=/usr/sbin/exportfs -r (code=exited, status=0/SUCCESS) Main PID: 25227 (code=exited, status=0/SUCCESS) CGroup: /system.slice/nfs-server.service Mar 25 15:03:34 host01.rootlinks.net systemd[1]: Starting NFS server and services... Mar 25 15:03:34 host01.rootlinks.net systemd[1]: Started NFS server and services. [root@host01 ~]# exportfs -v /nishome 192.168.1.0/24(rw,wdelay,no_root_squash,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash) |
Firewallが有効な場合はnfsの動作ポートを設定して、そのポートを許可する必要があります。
8.7.3. ファイアウォール背後での NFS の実行
https://access.redhat.com/documentation/ja-JP/Red_Hat_Enterprise_Linux/7/html/Storage_Administration_Guide/nfs-serverconfig.html#s2-nfs-nfs-firewall-config
- /etc/sysconfig/nfsの設定
- Firewallの許可
/etc/sysconfig/nfsを編集してLOCKD_TCPPORT=,LOCKD_UDPPORT=,MOUNTD_PORT=,STATD_PORT=の動作ポートを指定します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
[root@host01 ~]# cat /etc/sysconfig/nfs # # Note: For new values to take effect the nfs-config service # has to be restarted with the following command: # systemctl restart nfs-config # # Optional arguments passed to in-kernel lockd #LOCKDARG= # TCP port rpc.lockd should listen on. #LOCKD_TCPPORT=32803 # UDP port rpc.lockd should listen on. #LOCKD_UDPPORT=32769 # # Optional arguments passed to rpc.nfsd. See rpc.nfsd(8) RPCNFSDARGS="" # Number of nfs server processes to be started. # The default is 8. #RPCNFSDCOUNT=16 # # Set V4 grace period in seconds #NFSD_V4_GRACE=90 # # Set V4 lease period in seconds #NFSD_V4_LEASE=90 # # Optional arguments passed to rpc.mountd. See rpc.mountd(8) RPCMOUNTDOPTS="" # Port rpc.mountd should listen on. #MOUNTD_PORT=892 # # Optional arguments passed to rpc.statd. See rpc.statd(8) STATDARG="" # Port rpc.statd should listen on. #STATD_PORT=662 # Outgoing port statd should used. The default is port # is random #STATD_OUTGOING_PORT=2020 # Specify callout program #STATD_HA_CALLOUT="/usr/local/bin/foo" # # # Optional arguments passed to sm-notify. See sm-notify(8) SMNOTIFYARGS="" # # Optional arguments passed to rpc.idmapd. See rpc.idmapd(8) RPCIDMAPDARGS="" # # Optional arguments passed to rpc.gssd. See rpc.gssd(8) RPCGSSDARGS="" # # Enable usage of gssproxy. See gssproxy-mech(8). GSS_USE_PROXY="yes" # # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8) RPCSVCGSSDARGS="" # # Optional arguments passed to blkmapd. See blkmapd(8) BLKMAPDARGS="" |
1 2 3 4 5 6 7 |
[root@host01 ~]# vi /etc/sysconfig/nfs [root@host01 ~]# grep PORT /etc/sysconfig/nfs LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662 #STATD_OUTGOING_PORT=2020 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[root@host01 ~]# firewall-cmd --permanent --add-service=nfs success [root@host01 ~]# firewall-cmd --permanent --add-port=892/udp success [root@host01 ~]# firewall-cmd --permanent --add-port=892/tcp success [root@host01 ~]# firewall-cmd --permanent --add-port=662/udp success [root@host01 ~]# firewall-cmd --permanent --add-port=662/tcp success [root@host01 ~]# firewall-cmd --permanent --add-port=32803/tcp success [root@host01 ~]# firewall-cmd --permanent --add-port=32769/udp success [root@host01 ~]# firewall-cmd --reload success [root@host01 ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client nfs rpc-bind ssh ports: 32803/tcp 662/udp 662/tcp 834/udp 892/udp 836/udp 892/tcp 32769/udp 834/tcp masquerade: no forward-ports: icmp-blocks: rich rules: |