跳转至

rocky9

查找rpm包

https://rpmfind.net/

https://rpmfind.net/linux/epel/

系统配置

下载 https://rockylinux.org/zh_CN/download/

启动图形化管理界面systemctl enable --now cockpit.socket,端口为9090

缺失系统包

dnf install sysstat screen

更换南大源

 sed -e 's|^mirrorlist=|#mirrorlist=|g' \
    -e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.nju.edu.cn/rocky|g' \
    -i.bak \
    /etc/yum.repos.d/[Rr]ocky*.repo
dnf makecache

配置中文支持

# 查看是否存在中文语言, 可以看到没有中文语言
$ localectl list-locales |grep zh

# 查看可用的语言包
$ dnf list |grep glibc-langpack

# 安装中文语言包
$ dnf install glibc-langpack-zh

# 设置当前的语言包
$ localectl set-locale LANG="zh_CN.utf8"

网络配置

传统方式

/etc/sysconfig/network-scripts/ifcfg-ens224
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=ens224
#UUID=74c5ccee-c1f4-4f45-883f-fc4f765a8477
DEVICE=ens224
ONBOOT=yes
IPADDR=192.168.20.170
PREFIX=24
GATEWAY=192.168.20.209
DNS1=211.69.143.174
DNS2=114.114.114.114
IPV6_DISABLED=yes
# 生效
nmcli c load /etc/sysconfig/network-scripts/ifcfg-ens224

# 重启网络 2行都执行
systemctl restart NetworkManager.service
nmcli networking off && nmcli networking on 

systemctl reload NetworkManager

新的方式

新的配置文件,如果需要配置多IP,可以修改此配置文件。

/etc/NetworkManager/system-connections/ens18.nmconnection
[connection]
id=ens18
uuid=7f49fd62-02d9-323e-8f35-0c8249647a74
type=ethernet
autoconnect-priority=-999
interface-name=ens18
timestamp=1669365850

[ethernet]

[ipv4]
address1=192.168.11.144/24,192.168.11.254
# address2=192.168.11.145/24,192.168.11.254
dns=114.114.114.114;223.6.6.6;
dns-search=rockylinux.cn;rockylinux.org;
method=auto

[ipv6]
addr-gen-mode=eui64
method=disabled

[proxy]
  • connection 内容

    key namedescription
    idThe alias of con-name, whose value is a string.
    uuidUniversal unique identifier, whose value is a string.
    typeThe type of connection, whose values can be ethernet, bluetooth, vpn, vlan, and so on. You can use man nmcli to view all supported types.
    interface-nameThe name of the network interface this connection is bound to, whose value is a string.
    timestampUnix timestamp, in seconds. The value here is the number of seconds since January 1, 1970.
    autoconnectWhether it starts automatically when the system starts. The value is of Boolean type.
  • ethernet 内容

    key namedescription
    mac-addressMAC physical address.
    mtuMaximum Transmission Unit.
    auto-negotiateWhether to negotiate automatically. The value is Boolean type.
    duplexThe Values can be half (half-duplex), full (full-duplex)
    speedSpecify the transmission rate of the network card. 100 is 100Mbit/s. If auto-negotiate=false, the speed key and duplex key must be set; if auto-negotiate=true, the speed used is the negotiated speed, and the writing here does not take effect (this is only applicable to the BASE-T 802.3 specification); when nonzero, the duplex key must have a value.
  • ipv4 内容

    key namedescription
    addressesIP addresses assigned
    gatewayGateway (next hop) for the interface
    dnsDomain Name Servers in use
    methodThe method to be obtained by IP. The value is of string type. The value can be: auto, disabled, link-local, manual, shared

如果有多张网卡,建议将不使用的网卡配置为禁用,autoconnect 中的 autoconnect=false,以免出现路由冲突。

# 重新加载配置文件
nmcli connection reload

# 重启网络生效
systemctl restart NetworkManager

nmcli使用

# 重启网卡
nmcli c reload

# 开启网卡
nmcli c up ens160

# 关闭网卡
nmcli c down ens160

# 查看网卡状态
nmcli device status

# 查看所有网卡详细信息
nmcli device show

# 查看ens160网卡详细信息
nmcli device show ens160

# 创建一个动态获取IP的连接,con-name是指创建连接的名称,ifname是指网络接口
nmcli c add type eth con-name ens160 ifname ens66

# 设置网卡自启动
nmcli c modify ens160 connection.autoconnect yes

# 删除连接网卡ens160
nmcli c delete ens160

# 添加/删除一个IP地址和网关
nmcli c modify ens160 +ipv4.address 192.168.0.3/24  #添加ip
nmcli c modify ens160 -ipv4.address 192.168.0.3/24  #删除ip
nmcli c modify ens160 ipv4.gateway 192.168.0.1  #设置网关

# 设置DNS
nmcli c modify ens160 ipv4.dns 8.8.8.8  #添加DNS
nmcli c modify ens160 -ipv4.dns 8.8.8.8  #删除DNS

# 设置IP获取方式
nmcli connection modify ens160 ipv4.method manual  #手动设置
nmcli connection modify ens160 ipv4.method auto  #DHCP获取

# 重新加载网卡配置文件,每一次修改文件都建议执行
nmcli connection reload

# 立即生效网卡配置,不用重启系统。推荐使用第一个,怎么简单怎么来。
nmcli c up ens160
nmcli device connect ens160
nmcli device reapply ens160

ip命令

ip link show                     # 显示网络接口信息
ip link set eth0 up             # 开启网卡
ip link set eth0 down            # 关闭网卡
ip link set eth0 promisc on      # 开启网卡的混合模式
ip link set eth0 promisc offi    # 关闭网卡的混个模式
ip link set eth0 txqueuelen 1200 # 设置网卡队列长度
ip link set eth0 mtu 1400        # 设置网卡最大传输单元
ip addr show     # 显示网卡IP信息
ip addr add 192.168.0.1/24 dev eth0 # 设置eth0网卡IP地址192.168.0.1
ip addr del 192.168.0.1/24 dev eth0 # 删除eth0网卡IP地址

ip route show # 显示系统路由
ip route add default via 192.168.1.254   # 设置系统默认路由
ip route list                 # 查看路由信息
ip route add 192.168.4.0/24  via  192.168.0.254 dev eth0 # 设置192.168.4.0网段的网关为192.168.0.254,数据走eth0接口
ip route add default via  192.168.0.254  dev eth0        # 设置默认网关为192.168.0.254
ip route del 192.168.4.0/24   # 删除192.168.4.0网段的网关
ip route del default          # 删除默认路由
ip route delete 192.168.1.0/24 dev eth0 # 删除路由

时间设置

timedatectl查看时间各种状态:
timedatectl list-timezones: 列出所有时区
timedatectl set-local-rtc 1 将硬件时钟调整为与本地时钟一致, 0 为设置为 UTC 时间
timedatectl set-timezone Asia/Shanghai 设置系统时区为上海
timedatectl set-ntp true : 设置互联网时间同步

修改/etc/chronyd.conf

登录后复制 
server ntp.aliyun.com iburst
#server cn.ntp.org.cn iburst

重启chronyd
systemctl restart chronyd 
source chronyd -v 
systemctl enable chronyd.service

firewalld

# 查看配置
firewall-cmd --list-all

firewall-cmd --list-services  #默认开放:ssh dhcpv6-client
firewall-cmd --zone=public --list-services  #指定区域进行查看
firewall-cmd --list-ports
firewall-cmd --zone=public --list-ports  #指定区域进行查看

# 查看配置保存文件
cat /etc/firewalld/zones/public.xml

# 添加一个 TCP 端口 (删除将 add 关键字修改为 remove)
firewall-cmd --zone=public --add-port=80/tcp --permanent  #--permanent 表示永久生效
firewall-cmd --add-port=80/tcp --permanent  #与上面是等价的,默认 zone 为 pulic
firewall-cmd --reload  #重新加载配置生效

# 关于 zone
firewall-cmd --get-zones  #查看所有 zone 的命令,CentOS 7 一共有 9 个 zone
block dmz drop external home internal public trusted work
firewall-cmd --get-zones  ##CentOS 8 有 10 个 zone
block dmz drop external home internal libvirt public trusted work
firewall-cmd --get-default-zone  #查看默认的 zone 的命令
public

# 添加一个服务
firewall-cmd --add-service=snmp --permanent
firewall-cmd --reload
firewall-cmd --get-services  #查看可用的服务

# 限定源地址访问
firewall-cmd --add-rich-rule="rule family="ipv4"source address="192.168.1.0/24"port protocol="tcp"port="3306"accept" --permanent
firewall-cmd --reload

# 添加常见服务
firewall-cmd --add-service=snmp --permanent
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

# 禁止ping
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop'  #全部禁 ping
firewall-cmd --permanent --add-rich-rule='rule family="ipv4"source address="192.168.1.0/24"protocol value="icmp"accept'  #指定 192.168.1.0/24 允许 icmp

docker

https://www.rockylinux.cn/technical-blog/zai-rocky-linux-9-1-shang-an-zhuang-docker-ce.html

dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf config-manager --add-repo=docker-ce.repo

dnf

基本使用

repolist显示系统中可用的 DNF 软件库
list列出全部的软件包名称
search <包名>搜索软件库中的软件包
provides <路径>查找某一文件的提供者
info <包名>查看软件包详情
install <包名>安装软件包
update <包名>升级软件包
check-update检查系统软件包的更新
update升级所有系统软件包
remove删除软件包
autoremove删除无用孤立的软件包
clean all删除缓存的无用软件包
help <命令名>获取有关某条命令的使用帮助
help查看所有的dnf命令及其用途
history查看dnf命令的执行历史
grouplist查看所有的软件包组
groupinstall <软件包组名称>安装一个软件包组
groupupdate <软件包组名称>升级一个软件包组中的软件包
groupremove <软件包组名称>删除一个软件包组
distro-sync更新软件包到最新的稳定发行版
reinstall <包名>重新安装特定软件包
downgrade <包名>回滚某个特定软件的版本
–version查看 DNF 包管理器版本
查看 dnf 版本
dnf --version
查看系统中可用的 dnf 软件库
dnf repolist
查看系统中可用和不可用的软件库
dnf repolist all
列出所有RPM包
dnf list
列出已经安装的RPM包
dnf list installed
列出可供安装的RPM包
dnf list available
搜索某包 (以搜索nginx为例)
dnf search nginx
查看某包的详情
dnf info nginx
安装包
dnf install nginx
升级包
dnf update nginx
检查系统软件包更新
dnf check-update
升级系统中所有软件包
dnf update OR dnf upgrade
删除包
dnf remove nginx OR dnf erase nginx
删除无用孤立的软件包
dnf autoremove
删除缓存的无用软件包
dnf clean all
获取有关某条命令的使用帮助
dnf help clean
重新安装特定软件包
dnf reinstall nginx
回滚某个特定软件的版本
dnf downgrade nginx

moduler

CentOS8 dnf module更换软件流

Using modules in Fedora

CentOS 8的 dnf 新增了的一个moduler 功能,中文译意的意思是模块流(大致如下),该功能主要用于切换不同版本的软件,其主要用于快速替换升级当前使用软件版本。

CentOS 8 中的dnf module 也是用于实现类似功能的,例如切换php、nginx、nodejx等软件版本的,后续CentOS8还会推出更多module的(这些module大部分集中在 AppStream软件库中)。 同时已经有部分第三方软件库支持该功能了,例如,remi 这个第三方源(repo下载:CentOS8 yum/dnf 配置)

dnf [OPTIONS] module [COMMAND] [MODULE-SPEC]

OPTIONS:
详情查询 dnf(8)  man 帮助文档

COMMAND:
enable 启用模块
info 查询模块信息
remove 卸载模块
provides 查询模块的提供软件库信息
list 查询模块的详细信息
update 更新模块
install 安装模块
reset 重置模块
disable 禁用模块

MODULE-SPEC:
Name[:Stream[/Profiles]] 模块名称[:流[/配置]]

apache

编译安装 https://www.golinuxcloud.com/rocky-linux-install-apache-from-source-code/

新版 https://codeit.guru/en_US/

https://rhel.pkgs.org/8/raven-modular-x86_64/httpd-2.4.54-1.el8.x86_64.rpm.html

开始安装http之前使用 dnf list 命令确认安装的httpd版本

$  dnf list | grep httpd
httpd.x86_64                                         2.4.53-7.el9                        @appstream
httpd-core.x86_64                                    2.4.53-7.el9                        @appstream
httpd-devel.x86_64                                   2.4.53-7.el9                        @appstream
httpd-filesystem.noarch                              2.4.53-7.el9                        @appstream
httpd-manual.noarch                                  2.4.53-7.el9                        @appstream
httpd-tools.x86_64                                   2.4.53-7.el9                        @appstream
rocky-logos-httpd.noarch                             90.13-1.el9                         @appstream
keycloak-httpd-client-install.noarch                 1.1-10.el9                          appstream
libmicrohttpd.i686                                   1:0.9.72-4.el9                      appstream
libmicrohttpd.x86_64                                 1:0.9.72-4.el9                      appstream
python3-keycloak-httpd-client-install.noarch         1.1-10.el9                          appstream
httpd相关的安装包如下,httpd和httpd-tools必须安装,httpd-devel是安装Apache相关软件时进行./configure,make及make install时需要。
安装包内容
httpdhttpd本体
httpd-develhttp开发工具,模块等
httpd-filesystemApache http的基本目录布局
httpd-manualhttpd手册
# 安装
$ dnf install -y httpd httpd-tools httpd-devel httpd-manual
# 查看版本
dnf list --installed |grep httpd
# 确认配置文件
apachectl configtest
# 启动服务
systemctl start httpd 
# 设置防火墙
firewall-cmd --add-service=http --zone=public --permanent
firewall-cmd --reload

mariadb

https://mariadb.org/mariadb/all-releases/

https://juejin.cn/post/6981856163339960327

https://www.xiaoyuanjiu.com/108366.html

如何在 Rocky Linux 8 上安装 MariaDB 10.6

安装

# 版本 10.5.16
$ dnf install mariadb-server
$ systemctl start mariadb

安装后初次配置

$ mysql_secure_installation // 注意要使用管理员权限执行

首先提示输入数据库 root 用户密码

Enter current password for root (enter for none):<–初次运行直接回车

设置密码

Set root password? [Y/n] <– 是否设置root用户密码,输入y并回车或直接回车
New password: <– 设置root用户的密码
Re-enter new password: <– 再输入设置的密码

其它配置

Remove anonymous users? [Y/n] <– 是否删除匿名用户
Disallow root login remotely? [Y/n] <–是否禁止root远程登录
Remove test database and access to it? [Y/n] <– 是否删除test数据库
Reload privilege tables now? [Y/n] <– 是否重新加载权限表

更改root密码方式2

新版本真正起作用的表是mysql.global_priv,而非mysql.user。

# 也可以用下面的方式修改 root 密码:
$ sudo mysql -u root // 直接回车即可,出现下面的文字,即为登录成功

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

$ MariaDB [(none)]> 

# 然后通过如下步骤修改密码
$ MariaDB [(none)]> use mysql;
# $ MariaDB [mysql]> UPDATE user SET plugin='mysql_native_password' WHERE user='root'; // 身份认证插件
# $ MariaDB [mysql]> UPDATE user SET password=PASSWORD('你的root的密码') WHERE user='root'; // 设置密码
MariaDB [mysql]> ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("root_password")
$ MariaDB [mysql]> flush privileges; // 刷新配置权限
$ MariaDB [mysql]> exit; // 退出

# 需要注意的是,上述的 SQL 语句结尾一定要加分号

# 然后重启服务
$ systemctl restart mariadb

更改数据库默认位置

$ mkdir /data/mysql
$ chown mysql:mysql -R /data/mysql/
# 修改配置文件
$ vim /etc/my.cnf

# 重启mariadb
$ systemctl restart  mariadb.service
修改后的配置文件 /etc/my.cnf
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]

#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

[mysqld]
character-set-server=utf8
datadir=/data/mysql
注意更改后的目录不能为 /home//root/run/user。否则报错 Can't create test file '/home/mariadb/localhost.lower-test' (Errcode: 13 "Permission denied")。其由 mariadb.service 中的 ProtectHome 决定,如果要使用 /home 目录,可以做如下修改,然后重新启动。
/usr/lib/systemd/system/mariadb.service
# Prevent accessing /home, /root and /run/user
ProtectHome=false # true default

数据库备份

备份

for f in `ls mysqldb_a*`;do
    for i in `cat ${f}`;do
        #echo $i;
        mysqldump -u username -p password ${i} > backdb_${i}.sql &
    done
        wait
done
恢复
#/bin/bash
#fun create  database
mysqluser=root
mysqlpass=password
mysqlcent="mysql -u $mysqluser -p$mysqlpass"
dabasename=`cat mysqldb_list`
pref="backdb_"
for   data  in  $dabasename
do 

 #echo "$mysqlcent -e "use  $data  " && $mysqlcent -e " source   db_sql/${pref}${data}.sql "" #恢复数据
 #$mysqlcent -e "use  $data  " && $mysqlcent -e " source   db_sql/${pref}${data}.sql " #恢复数据
 $mysqlcent -D$data < db_sql/${pref}${data}.sql  #恢复数据

done

PHP

基本安装

$ dnf install php php-fpm php-mysqlnd php-opcache php-gd php-ldap php-odbc php-pear php-xml php-mbstring php-snmp php-soap
在 RHEL 7 或以前的版本, 預設會使用 mod_php 配合 Apache 執行, 從 RHEL 8 開始會預設使用 PHP-FPM 執行 PHP, 所以需要啟動 PHP-FPM
$ systemctl start php-fpm
$ systemctl enable php-fpm

# 安裝及設定好 PHP 後需要重新啟動 Apache 才會生效:
$ systemctl restart httpd
升级安装见

CentOS 通过 dnf 安装 PHP 最新版

如何在 Rocky Linux 上安装最新的 PHP 8

CentOS 8通过DNF命令安装最新版的LNMP

Privoxy代理

使用ssh起个本地的sock5代理

$ ssh  -fN -D 1091 -p 12345 username@192.168.1.100
使用privoxy将socks5代理转成http代理
$ wget https://rpmfind.net/linux/epel/9/Everything/x86_64/Packages/p/privoxy-3.0.33-2.el9.x86_64.rpm
$ rpm -ivh privoxy-3.0.33-2.el9.x86_64.rpm

查看 /etc/privoxy/config 文件

先搜索关键字 listen-address 找到 listen-address 127.0.0.1:8118 这一句,保证这一句没有注释,8118就是将来http代理要输入的端口。

然后搜索 forward-socks5t, 将 #forward-socks5t / 127.0.0.1:1091 . 此句前面的注释去掉, 意思是转发流量到本地的1091端口, 而1091端口正是 sock5 监听的端口。

启动privoxy

$ systemctl restart privoxy 
$ systemctl enable privoxy

转发配置,在当前 session 执行

export http_proxy=http://127.0.0.1:8118
export https_proxy=http://127.0.0.1:8118
使用远程ss代理
# 直接 pip install shadowsocks 会报错 method aes-256-gcm not supported
$ pip install https://github.com/shadowsocks/shadowsocks/archive/master.zip -U

# 写入配置文件,写入json文件中时,去掉注释否则报错
$ cat /etc/shadowsocks-client.json
{
    "server":"your_server_ip",      #ss服务器IP
    "server_port":your_server_port, #端口
    "local_address": "127.0.0.1",   #本地ip
    "local_port":1080,              #本地端口
    "password":"your_server_passwd", #连接ss密码
    "timeout":300,                  #等待超时
    "method":"aes-256-gcm",             #加密方式
    "fast_open": false,             # true 或 false。如果你的服务器 Linux 内核在3.7+,可以开启 fast_open 以降低延迟。开启方法: echo 3 > /proc/sys/net/ipv4/tcp_fastopen 开启之后,将 fast_open 的配置设置为 true 即可
    "workers": 1                    # 工作线程数
}

$ nohup sslocal -c /etc/shadowsocks-client.json /dev/null 2>&1 &

docker

# 添加Docker Repo
dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo

# 更新源
dnf update

# 安装Docker
dnf install -y docker-ce

# 启动Docker服务
sudo systemctl start docker && sudo systemctl status docker

# 设置开机自启动
sudo systemctl enable docker

# 建议添加普通用户至Docker组,并以普通用户运行Docker。
sudo usermod -aG docker $USER

# 生效组用户变更配置
newgrp docker

# 测试
$ docker pull alpine
$ docker run -it alpine /bin/sh
/ # ping www.baidu.com
PING www.baidu.com (182.61.200.7): 56 data bytes
64 bytes from 182.61.200.7: seq=0 ttl=47 time=24.300 ms
64 bytes from 182.61.200.7: seq=1 ttl=47 time=23.994 ms
配置源
$ cat    /etc/docker/daemon.json
{
 "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
$ systemctl daemon-reload
$ systemctl restart docker

LVM

LVM相关基础

  • Physical Extend:PE

    PE就像是我们前面所说的磁盘的BLOCK,而这个的大小同样会影响到VG的大小。

  • Physical Volume:PV

    我们还记得在分区的时候,把分区转换类型里面有个LVM的标识(8e)不,我们要做LVM,就必需先把这里的分区类型转换成8e。然后再用pvcreate将分区转换成PV,这一步是下一步的前提。

  • Volume Group:VG

    所谓的VG,就是把多个PV组合成一个更大的磁盘,这就是VG。

  • Logical Volume:LV

    我们要想使用VG,就必需把VG分成LV,这个LV你可以看作是分区了,当然分区后需要格式化才能挂载使用。

基本使用

# 创建PV
pvcreate /dev/sda 

# #创建VG
vgcreate data /dev/sda

# #创建LV   # -i 2 -I 64  条带化选项,-i 指定跨PV的个数 .  -I 指定条带单元的大小,条带单元(stripe size):即条带单元的大小,对应于I/O中数据单元块的大小;数值必须为2的幂,单位KB
lvcreate -n lv-data -L 50T data

# #格式化LV
mkfs.xfs /dev/data/lv-data

# 挂载LV
mount /dev/data/lv-data /disk2/

其它操作

# 删除LV
lvremove  /dev/data/lv-data

# vg更名
vgrename /dev/vg1 /dev/vg2

# 增加LV大小
# 查看还有多少剩余VG
vgdisplay 

# 将root这个LV扩大到400GB
lvextend -L 400G /dev/centos/root  

# 生效,若是ext4用 resize2fs /dev/mapper/centos-root
xfs_growfs /dev/mapper/centos-root  

NIS

Rocky9 放弃了对NIS的官方支持,没有相关的RPM包放出,故此需要自行编译 NIS 相关的包。从 Rocky8 开始使用 authselect 工具代替了 authconfig 来管理系统授权,Rocky9 默认的 authselect 没有对 NIS 的支持,因此也需要重新编译安装支持 NIS 的 authselect。这里有编译好的 RPM 包,也可以根据本文档自行编译打包。

编译好的 RPM 包,可直接下载使用

authselect-1.2.6-2.el9.x86_64.rpm

authselect-libs-1.2.6-2.el9.x86_64.rpm

nss_nis-3.2-8.el9.x86_64.rpm

ypbind-2.7.2-2.el9.x86_64.rpm

ypserv-4.2-1.el9.x86_64.rpm

yp-tools-4.2.3-2.el9.x86_64.rpm

包含启用了 cracklib 进行密码验证的 yppasswd的 yp-tools RPM包。

yp-tools-cracklib1-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib编译选项

yp-tools-cracklib2-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib-strict 编译选项

也可以根据下面的文档自行编译rpm包

ypserv

$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/ypserv-4.1-1.el8.src.rpm
$ rpm -Uvh ypserv-4.1-1.el8.src.rpm

$ git clone https://github.com/thkukuk/ypserv
$ cd ypserv
$ git checkout v4.2
$ cd ..
$  
$ tar --exclude-vcs --transform 's/ypserv/ypserv-4.2/' -cvzf ypserv-4.2.tar.gz ypserv
$ cp ypserv-4.2.tar.gz rpmbuild/SOURCES/

$ vim rpmbuild/SPECS/ypserv.spec
参考 Rocky8 修改 ypserv.spec 文件
--- rpmbuild/SPECS/ypserv.spec.orig     2022-04-17 10:11:09.000000000 +0900
+++ rpmbuild/SPECS/ypserv.spec  2023-08-22 20:32:33.738889909 +0900
@@ -3,11 +3,11 @@
 Summary: The NIS (Network Information Service) server
 Url: http://www.linux-nis.org/nis/ypserv/index.html
 Name: ypserv
-Version: 4.1
+Version: 4.2
 Release: 1%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
-Source0: https://github.com/thkukuk/%{name}/archive/v%{version}.tar.gz
+Source0: https://github.com/thkukuk/%{name}/archive/v%{version}.tar.gz#/ypserv-%{version}.tar.gz
 Source1: ypserv.service
 Source2: yppasswdd.service
 Source3: ypxfrd.service
打包
$ dnf --enablerepo=devel install tokyocabinet-devel libnsl2-devel libtirpc-devel systemd-devel
$ dnf docbook-style-xsl autoconf automake gcc g++
$ rpmbuild -bb rpmbuild/SPECS/ypserv.spec
$ ls -l rpmbuild/RPMS/x86_64/ypserv-*
-rw-r--r--. 1 root root 154695 Aug 22 20:33 rpmbuild/RPMS/x86_64/ypserv-4.2-1.el9.x86_64.rpm
-rw-r--r--. 1 root root 200012 Aug 22 20:33 rpmbuild/RPMS/x86_64/ypserv-debuginfo-4.2-1.el9.x86_64.rpm
-rw-r--r--. 1 root root  64847 Aug 22 20:33 rpmbuild/RPMS/x86_64/ypserv-debugsource-4.2-1.el9.x86_64.rpm
$

ypbind

$ git clone https://github.com/thkukuk/ypbind-mt
$ cd ypbind-mt
$ git checkout v2.7.2
$ cd ..
$ tar --exclude-vcs --transform 's/ypbind-mt/ypbind-mt-2.7.2/' -cvzf ypbind-mt-2.7.2.tar.gz ypbind-mt
以Rocky8的ypbind的srpm为模板进行修改
$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/ypbind-2.5-2.el8.src.rpm
$ rpm -Uvh ypbind-2.5-2.el8.src.rpm
$ vim rpmbuild/SPECS/ypbind.spec
修改SPEC文件
--- rpmbuild/SPECS/ypbind.spec.orig     2021-04-12 18:07:59.000000000 +0900
+++ rpmbuild/SPECS/ypbind.spec  2022-12-24 16:28:51.346494889 +0900
@@ -1,7 +1,7 @@
 Summary: The NIS daemon which binds NIS clients to an NIS domain
 Name: ypbind
 Epoch: 3
-Version: 2.5
+Version: 2.7.2
 Release: 2%{?dist}
 License: GPLv2
 Group: System Environment/Daemons
@@ -58,7 +58,7 @@
 %patch1 -p1 -b .gettextdomain
 %patch2 -p1 -b .helpman
 #%patch3 -p1 -b .systemdso
-%patch4 -b .gettext_version
+#%patch4 -b .gettext_version

 autoreconf -fiv
编译打包
$ dnf --enablerepo=devel install dbus-glib-devel libnsl2-devel libtirpc-devel systemd-devel gettext-devel
$ ll -h rpmbuild/SOURCES/
$ cp ypbind-mt-2.7.2.tar.gz rpmbuild/SOURCES/
$ rpmbuild -bb rpmbuild/SPECS/ypbind.spec

$ ls -l rpmbuild/RPMS/x86_64/
total 560
-rw-r--r-- 1 root root  53534 Jul  4 18:13 ypbind-2.7.2-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  61058 Jul  4 18:13 ypbind-debuginfo-2.7.2-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  27250 Jul  4 18:13 ypbind-debugsource-2.7.2-2.el9.x86_64.rpm
x86_64.rpm

nss_nis

git clone https://github.com/thkukuk/libnss_nis
cd libnss_nis
git checkout v3.2
cd ..
tar --exclude-vcs --transform 's/libnss_nis/libnss_nis-3.2/' -cvzf libnss_nis-3.2.tar.gz libnss_nis
以Rocky8的nss_nis的srpm为模板进行修改
curl -O http://dl.rockylinux.org/pub/rocky/8/BaseOS/source/tree/Packages/n/nss_nis-3.0-8.el8.src.rpm
rpm -Uvh nss_nis-3.0-8.el8.src.rpm
vim rpmbuild/SPECS/nss_nis.spec
修改SPEC文件
@@ -1,11 +1,11 @@
 Name:           nss_nis
-Version:        3.0
+Version:        3.2
 Release:        8%{?dist}
 Summary:        Name Service Switch (NSS) module using NIS
 License:        LGPLv2+
 Group:          System Environment/Base
 Url:            https://github.com/thkukuk/libnss_nis
-Source:         https://github.com/thkukuk/libnss_nis/archive/v%{version}.tar.gz
+Source:         https://github.com/thkukuk/libnss_nis/archive/v%{version}.tar.gz#/libnss_nis-%{version}.tar.gz

 # https://github.com/systemd/systemd/issues/7074
 Source2:        nss_nis.conf
打包
$ cp libnss_nis-3.2.tar.gz rpmbuild/SOURCES/
rpmbuild -bb rpmbuild/SPECS/nss_nis.spec
$ dnf install libtool
$ rpmbuild -bb rpmbuild/SPECS/nss_nis.spec

$ ls -l rpmbuild/RPMS/x86_64/
total 708
-rw-r--r-- 1 root root  41641 Jul  4 18:24 nss_nis-3.2-8.el9.x86_64.rpm
-rw-r--r-- 1 root root  77064 Jul  4 18:24 nss_nis-debuginfo-3.2-8.el9.x86_64.rpm
-rw-r--r-- 1 root root  28049 Jul  4 18:24 nss_nis-debugsource-3.2-8.el9.x86_64.rpm

yp-tools

使用与Rocky8一致的版本

$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/yp-tools-4.2.3-2.el8.src.rpm
$ rpmbuild --rebuild yp-tools-4.2.3-2.el8.src.rpm

$ ls -l rpmbuild/RPMS/x86_64/
total 912
-rw-r--r-- 1 root root  84059 Jul  4 18:30 yp-tools-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  91355 Jul  4 18:30 yp-tools-debuginfo-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  26818 Jul  4 18:30 yp-tools-debugsource-4.2.3-2.el9.x86_64.rpm

authselect

$ curl -O  https://dl.rockylinux.org/pub/rocky/9/BaseOS/source/tree/Packages/a/authselect-1.2.6-2.el9.src.rpm
$ rpm -Uvh authselect-1.2.6-2.el9.src.rpm
$ vim rpmbuild/SPECS/authselect.spec
修改SPEC文件
--- rpmbuild/SPECS/authselect.spec.orig 2023-08-23 21:19:48.711224985 +0900
+++ rpmbuild/SPECS/authselect.spec      2023-08-23 21:21:18.656134493 +0900
@@ -16,7 +16,7 @@
 Patch0901:  0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
 Patch0902:  0902-rhel9-remove-ecryptfs-support.patch
 Patch0903:  0903-rhel9-Revert-profiles-add-support-for-resolved.patch
-Patch0904:  0904-rhel9-remove-nis-support.patch
+#Patch0904:  0904-rhel9-remove-nis-support.patch
 Patch0905:  0905-rhel9-Revert-yescrypt.patch

 %global makedir %{_builddir}/%{name}-%{version}
@@ -153,6 +153,7 @@
 %dir %{_datadir}/authselect/vendor
 %dir %{_datadir}/authselect/default
 %dir %{_datadir}/authselect/default/minimal/
+%dir %{_datadir}/authselect/default/nis/
 %dir %{_datadir}/authselect/default/sssd/
 %dir %{_datadir}/authselect/default/winbind/
 %{_datadir}/authselect/default/minimal/dconf-db
@@ -165,6 +166,16 @@
 %{_datadir}/authselect/default/minimal/REQUIREMENTS
 %{_datadir}/authselect/default/minimal/smartcard-auth
 %{_datadir}/authselect/default/minimal/system-auth
+%{_datadir}/authselect/default/nis/dconf-db
+%{_datadir}/authselect/default/nis/dconf-locks
+%{_datadir}/authselect/default/nis/fingerprint-auth
+%{_datadir}/authselect/default/nis/nsswitch.conf
+%{_datadir}/authselect/default/nis/password-auth
+%{_datadir}/authselect/default/nis/postlogin
+%{_datadir}/authselect/default/nis/README
+%{_datadir}/authselect/default/nis/REQUIREMENTS
+%{_datadir}/authselect/default/nis/smartcard-auth
+%{_datadir}/authselect/default/nis/system-auth
 %{_datadir}/authselect/default/sssd/dconf-db
 %{_datadir}/authselect/default/sssd/dconf-locks
 %{_datadir}/authselect/default/sssd/fingerprint-auth
打包
$ dnf --enablerepo=devel install libcmocka-devel popt-devel po4a python3-devel asciidoc
$ rpmbuild -bb rpmbuild/SPECS/authselect.spec

$  ls -l rpmbuild/RPMS/x86_64/
total 1528
-rw-r--r-- 1 root root 143129 Jul  4 18:48 authselect-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  33191 Jul  4 18:48 authselect-compat-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  38783 Jul  4 18:48 authselect-debuginfo-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  51183 Jul  4 18:48 authselect-debugsource-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  12092 Jul  4 18:48 authselect-devel-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 243801 Jul  4 18:48 authselect-libs-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root  97192 Jul  4 18:48 authselect-libs-debuginfo-1.2.6-2.el9.x86_64.rpm

安装配置

依赖包

$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libnsl2-devel-2.0.0-1.el9.0.1.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libnsl2-2.0.0-1.el9.0.1.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libtirpc-1.3.3-8.el9_4.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libtirpc-devel-1.3.3-8.el9_4.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/t/tokyocabinet-1.4.48-19.el9.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/t/tokyocabinet-devel-1.4.48-19.el9.x86_64.rpm

server

软件安装

$ dnf --enablerepo=devel install rpcbind libnsl2-devel  tokyocabinet-devel make
$ rpm -ivh nss_nis-3.2-8.el9.x86_64.rpm ypbind-2.7.2-2.el9.x86_64.rpm ypserv-4.2-1.el9.x86_64.rpm yp-tools-4.2.3-2.el9.x86_64.rpm
$ rpm --force -U authselect-1.2.6-2.el9.x86_64.rpm authselect-libs-1.2.6-2.el9.x86_64.rpm
配置
$ ypdomainname hpc.local
$ echo "NISDOMAIN=hpc.local" >> /etc/sysconfig/network

# NIS 作用的网段
$ vim /var/yp/securenets
255.0.0.0       127.0.0.0
255.255.255.0   192.168.10.0

# 写hosts文件,login 为 NIS server,node01 为 client
$ vim /etc/hosts
192.168.10.100 login01
192.168.10.101 login02

192.168.10.12 node01

# 开启相关服务
$ systemctl enable --now rpcbind ypserv  yppasswdd nis-domainname

# 更新数据库
$ /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  login is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
    next host to add:  login01
    next host to add:  # Ctrl + D key
The current list of NIS servers looks like this:

login01

Is this correct?  [y/n: y]  y
.
.
.

# 重启服务
$ systemctl restart rpcbind ypserv yppasswdd

# 测试服务
$ rpcinfo -p localhost
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  60534  status
    100024    1   tcp  49581  status
    100004    2   udp    978  ypserv
    100004    1   udp    978  ypserv
    100004    2   tcp    978  ypserv
    100004    1   tcp    978  ypserv
    100009    1   udp    986  yppasswdd
    100009    1   tcp    986  yppasswdd

client

安装

$ dnf install libnsl2-devel
$ rpm -ivh ypbind-2.7.2-2.el9.x86_64.rpm yp-tools-4.2.3-2.el9.x86_64.rpm nss_nis-3.2-8.el9.x86_64.rpm 
$ rpm --force -U authselect-1.2.6-2.el9.x86_64.rpm authselect-libs-1.2.6-2.el9.x86_64.rpm
配置
# 配置domain
$ ypdomainname hpc.local
$ echo "NISDOMAIN=hpc.local" >> /etc/sysconfig/network

# 配置 server 信息
$ vim /etc/yp.conf 
domain hpc.local server login01

# 写hosts文件,login01 为 NIS server,node01 为 client
$ vim /etc/hosts
192.168.10.100 login01
192.168.10.101 login02
192.168.10.12 node01

# 客户端使用NIS
authselect select nis --force

# 启动相关服务
$ systemctl enable --now rpcbind ypbind nis-domainname

# 测试
$ yptest 
Test 1: domainname
Configured domainname is "hpc.local"

Test 2: ypbind
...

Test 9: yp_all
username:$6$VlWsBuhCAYme.l6L$8izoH8PxzNR.c8I04Em47mG4djV6wR29OhXAyK/83RwQHLHpzj3SJiKhQ2bNjzAK5E3veD/wVbEOzkqKqQaH81:1000:1000:user:/home/username:/bin/bash
1 tests failed

slave

软件安装

$ dnf --enablerepo=devel install rpcbind libnsl2-devel  tokyocabinet-devel make
$ rpm -ivh nss_nis-3.2-8.el9.x86_64.rpm ypbind-2.7.2-2.el9.x86_64.rpm ypserv-4.2-1.el9.x86_64.rpm yp-tools-4.2.3-2.el9.x86_64.rpm
$ rpm --force -U authselect-1.2.6-2.el9.x86_64.rpm authselect-libs-1.2.6-2.el9.x86_64.rpm

参考上一小节,将slave节点配置为 NIS client 节点。

# 启动相关服务
$ systemctl enable --now rpcbind ypserv ypxfrd yppasswdd nis-domainname

$  primary 节点的信息同步到 slave 节点
$ /usr/lib64/yp/ypinit -s login01
参考上一小节,将 primary 节点配置为 NIS client 节点。
# 在 primary 节点开启信息推送服务
$ vim /var/yp/Makefile
# line 23 : change
NOPUSH=false

$ /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  dlp.srv.world is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  login01
        next host to add:  login02   # specify NIS Secondary
        next host to add:  # Ctrl + D key
The current list of NIS servers looks like this:

dlp.srv.world
yp01.srv.world

Is this correct?  [y/n: y]  y

...

login01 has been set up as a NIS master server.

Now you can run ypinit -s login01 on all slave server.

在 client 端添加第二个 NIS server。

$ vim /etc/yp.conf
# add NIS Secondary Host to the end
# [domain (NIS domain) server (NIS server)]
domain hpc.local server login01
domain hpc.local server login02
$ systemctl restart rpcbind ypbind

# 查看当前使用的是哪个 NIS server
$ ypwhich 
$ login01
如果 ypwhich 的结果一直为 login02,即 slave 节点,则需要在 slave 节点开一个定时任务,以便定时将 primary 节点的用户信息同步到 slave 节点,否则使用 yppasswd 修改密码会出现无法登录的情况。
# slave 节点设置定时任务,以同步用户信息
$ crontab -e
*/1 * * * * /usr/lib64/yp/ypxfr -h login passwd.byname
*/1 * * * * /usr/lib64/yp/ypxfr -h login passwd.byuid

复杂密码

NIS 使用 yppasswd 命令更改密码,默认的 yppasswd 命令只能对输入的密码做比较简单的规则验证,经测试 123456 这种简单密码可以通过验证。

查看 yppasswd 的源码发现,yppasswd 可以使用 cracklib 做密码强度检测,只不过默认编译参数没有开启。

因此只需要添加 --enable-cracklib编译选项、将 src/yppasswd.c 第56行更改为 #define CRACKLIB_DICTPATH "/usr/lib64/cracklib_dict" ,然后编译安装即可,这里不写具体的编译命令,直接制作RPM安装包。

制作RPM包

$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/yp-tools-4.2.3-2.el8.src.rpm
$ rpm -Uvh  yp-tools-4.2.3-2.el8.src.rpm

git clone https://github.com/thkukuk/yp-tools
cd yp-tools/
git checkout v4.2.3
cd ..
tar --exclude-vcs --transform 's/yp-tools/yp-tools-4.2.3/' -cvzf yp-tools-4.2.3.tar.gz yp-tools
cp yp-tools-4.2.3.tar.gz rpmbuild/SOURCES/

添加 patch 文件以处理 cracklib_dict 的路径,vim rpmbuild/SOURCES/yp-tools-4.2.3-yppasswd-fix_cracklib_dict_path.patch

--- yp-tools-4.2.3/src/yppasswd.c.orig  2024-07-10 01:38:34.074888652 +0800
+++ yp-tools-4.2.3/src/yppasswd.c   2024-07-10 01:38:50.702889363 +0800
@@ -53,7 +53,7 @@
 #ifdef USE_CRACKLIB
 #include <crack.h>
 #ifndef CRACKLIB_DICTPATH
-#define CRACKLIB_DICTPATH "/usr/lib/cracklib_dict"
+#define CRACKLIB_DICTPATH "/usr/lib64/cracklib_dict"
 #endif
 #endif
修改 SPEC 文件,添加上面的 patch 文件、添加 --enable-cracklib 编译选项,vim rpmbuild/SPECS/yp-tools.spec。如果使用更严格的密码验证规则将--enable-cracklib 替换为 --enable-cracklib-strict
--- rpmbuild/SPECS/yp-tools.spec.orig   2022-10-21 05:04:54.000000000 +0800
+++ rpmbuild/SPECS/yp-tools.spec    2024-07-10 01:43:42.410901845 +0800
@@ -10,6 +10,7 @@
 Patch3: yp-tools-2.12-adjunct.patch
 Patch4: yp-tools-4.2.2-strict-prototypes.patch
 Patch5: yp-tools-4.2.3-yppasswd-exclamation_mark.patch
+Patch6: yp-tools-4.2.3-yppasswd-fix_cracklib_dict_path.patch
 Url: http://www.linux-nis.org/nis/yp-tools/index.html
 BuildRequires: autoconf, automake, gettext-devel, libtool, libtirpc-devel, libnsl2-devel
 Requires: ypbind >= 3:2.4-2
@@ -56,7 +57,7 @@
 export CFLAGS="$CFLAGS %{optflags} -Wno-cast-function-type"

 # If needed the yppasswd can be deprecated by --enable-call-passwd
-%configure --disable-domainname
+%configure --disable-domainname --enable-cracklib

 %make_build
打包
# 安装相关的包
$ dnf install cracklib cracklib-dicts 
$ wget https://dl.rockylinux.org/pub/rocky/9/CRB/x86_64/os/Packages/c/cracklib-devel-2.9.6-27.el9.x86_64.rpm
$ rpm -ivh cracklib-devel-2.9.6-27.el9.x86_64.rpm

$ rpmbuild -bb rpmbuild/SPECS/yp-tools.spec
$ ls -l rpmbuild/RPMS/x86_64/yp-tools-*
-rw-r--r-- 1 root root 83496 Jul 10 02:14 rpmbuild/RPMS/x86_64/yp-tools-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 90328 Jul 10 02:14 rpmbuild/RPMS/x86_64/yp-tools-debuginfo-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 26747 Jul 10 02:14 rpmbuild/RPMS/x86_64/yp-tools-debugsource-4.2.3-2.el9.x86_64.rpm

安装、测试

# 可能需要安装 cracklib-devel cracklib-dicts
$ yp-tools-4.2.3-2.el9.x86_64.rpm
# 使用 123456,11223344,abcdef 等简单密码无法通过验证
$ yppasswd 
Changing NIS account information for tuser on login01.
Please enter old password:
Changing NIS password for tuser on login01.
Please enter new password:
Not a valid password: it is too simplistic/systematic.
Please enter new password:
Not a valid password: it does not contain enough DIFFERENT characters.
Please enter new password:
Not a valid password: it is based on a dictionary word.
Too many tries. Aborted.
Password unchanged.

直接下载使用制作好的 RPM 包

yp-tools-cracklib1-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib编译选项

yp-tools-cracklib2-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib-strict 编译选项

出错处理

  • yppasswd 运行报错:Cannot find suitable transport for protocol 'udp'

    客户端的 /etc/hosts 没加加入 server 节点的解析

参考

https://web.chaperone.jp/w/index.php?NIS/rockylinux9

https://forums.almalinux.org/t/ypbind-and-nis-client-on-almalinux-release-9-2-turquoise-kodkod/2997/6

http://cortex.vis.caltech.edu/~sysadmin/

LDAP

http://hpc.ncpgr.cn/paste/35da754cd195

离线环境软件包下载

wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/o/openldap-servers-2.6.6-3.el9.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/Packages/o/openldap-clients-2.6.6-3.el9.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/s/sssd-client-2.9.4-6.el9_4.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/s/sssd-ldap-2.9.4-6.el9_4.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/o/oddjob-0.34.7-7.el9.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/o/oddjob-mkhomedir-0.34.7-7.el9.x86_64.rpm

server配置

# 安装
$ dnf install dnf-utils epel-release mod_ssl
$ dnf install openldap openldap-servers openldap-clients

$ dnf --enablerepo=epel -y install openldap-servers openldap-clients
$ systemctl enable --now slapd

# slappasswd 生成root密码的哈希
$ slappasswd -h {SSHA} -s admin@123456
{SSHA}EQFnGqcN0G26nZ+WkRxIwFNIFfAAvAGy

# 为 [olcRootPW] 设置密码,使用上面生成的哈希值
$ vim chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}EQFnGqcN0G26nZ+WkRxIwFNIFfAAvAGy

$ ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"


# 导入基础schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif



# slapadd -n 0 -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif
配置domain
# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section
$ vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=hpc,dc=local" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hpc,dc=local

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=hpc,dc=local

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}D02ve4WwcYNzxbr5pICoBtY0rHFB6Qnx

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=hpc,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=hpc,dc=local" write by * read

# 执行
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

modifying entry "olcDatabase={2}mdb,cn=config"

# 配置文件
vim basedomain.ldif
dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: srv

dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People

dn: ou=Group,dc=srv,dc=world
objectClass: organizationalUnit
ou: Group

# 执行
$ ldapadd -x -D cn=Manager,dc=hpc,dc=local -W -f basedomain.ldif
Enter LDAP Password: 
adding new entry "dc=hpc,dc=local"

adding new entry "cn=Manager,dc=hpc,dc=local"

adding new entry "ou=People,dc=hpc,dc=local"

adding new entry "ou=Group,dc=hpc,dc=local"
SSL/TLS 配置
$ mkdir  /etc/openldap/certs
$ openssl req -x509 -nodes -days 3650   -newkey rsa:2048    -keyout /etc/openldap/certs/ldapserver.key    -out /etc/openldap/certs/ldapserver.crt    -subj "/C=CN/ST=Hubei/L=Wuhan/O=HZAU/OU=HPC/CN=login.hpc.local"
$ chown ldap:ldap /etc/openldap/certs/{ldapserver.crt,ldapserver.key}

#
$ cat mod_ssl.ldif 
# create new
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key

# 执行
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
防火墙放行
$ firewall-cmd --add-service={ldap,ldaps}
$ firewall-cmd --runtime-to-permanent

添加 LDAP 用户

生成加密的密码

$ slappasswd -s abc@123
{SSHA}ae8jMPcsfEsK+BLAimhEoLcx1mKFyXWt
配置文件 add_user.ldif ,添加用户 tuser,uid 为 1001,用户组 tuser,gid 为 1001。
# create new
# replace the section [dc=***,dc=***] to your own suffix
dn: uid=tuser,ou=People,dc=hpc,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Rocky
sn: Linux
userPassword: {SSHA}ae8jMPcsfEsK+BLAimhEoLcx1mKFyXWt
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/tuser

dn: cn=tuser,ou=Group,dc=hpc,dc=local
objectClass: posixGroup
cn: tuser
gidNumber: 1001
memberUid: tuser
执行
$ ldapadd -x -D cn=Manager,dc=hpc,dc=local -W -f add_user.ldif 
Enter LDAP Password: 
adding new entry "uid=tuser,ou=People,dc=hpc,dc=local"

adding new entry "cn=tuser,ou=Group,dc=hpc,dc=local"
删除用户/用户组
$ ldapdelete -x -W -D 'cn=Manager,dc=hpc,dc=local' "uid=tuser,ou=People,dc=srv,dc=world"
$ ldapdelete -x -W -D 'cn=Manager,dc=hpc,dc=local' "cn=tuser,ou=Group,dc=srv,dc=world"

client 配置

# 在线
$ dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
# 离线
$ rpm -ivh openldap-clients-2.6.6-3.el9.x86_64.rpm sssd-client-2.9.4-6.el9_4.x86_64.rpm sssd-ldap-2.9.4-6.el9_4.x86_64.rpm oddjob-mkhomedir-0.34.7-7.el9.x86_64.rpm  oddjob-0.34.7-7.el9.x86_64.rpm 

# 将认证系统切换为sssd
# for [with-mkhomedir], specify it if you need (create home directory when initial login)
$ authselect select sssd with-mkhomedir --force
Backup stored at /var/lib/authselect/backups/2024-07-03-10-28-32.bHV85D
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

# sssd 配置文件
$ vim /etc/sssd/sssd.conf 
# create new
# replace [ldap_uri], [ldap_search_base] to your own environment value
[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
# ldap_uri = ldap://dlp.hpc.local/
# ldap server
ldap_uri = ldap://192.168.10.11
ldap_search_base = dc=hpc,dc=local
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
cache_credentials = True
ldap_tls_reqcert = allow

[sssd]
services = nss, pam, autofs
domains = default

[nss]
homedir_substring = /home

$ chmod 600 /etc/sssd/sssd.conf
$ systemctl restart sssd oddjobd
$ systemctl enable sssd oddjobd
客户端如果认证出问题,查看日志 /var/log/sssd/sssd_default.log

出错处理

重装

rpm -e openldap-clients-2.6.6-3.el9 openldap-servers-2.6.6-2.el9
rm -rf  /etc/openldap/
rm -rf  /var/lib/ldap
本文阅读量  次
本站总访问量  次