rocky9
查找rpm包
https://rpmfind.net/linux/epel/
系统配置¶
下载 https://rockylinux.org/zh_CN/download/
启动图形化管理界面systemctl enable --now cockpit.socket
,端口为9090
缺失系统包¶
dnf install sysstat screen
更换南大源¶
sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.nju.edu.cn/rocky|g' \
-i.bak \
/etc/yum.repos.d/[Rr]ocky*.repo
dnf makecache
配置中文支持¶
# 查看是否存在中文语言, 可以看到没有中文语言
$ localectl list-locales |grep zh
# 查看可用的语言包
$ dnf list |grep glibc-langpack
# 安装中文语言包
$ dnf install glibc-langpack-zh
# 设置当前的语言包
$ localectl set-locale LANG="zh_CN.utf8"
网络配置¶
传统方式¶
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=ens224
#UUID=74c5ccee-c1f4-4f45-883f-fc4f765a8477
DEVICE=ens224
ONBOOT=yes
IPADDR=192.168.20.170
PREFIX=24
GATEWAY=192.168.20.209
DNS1=211.69.143.174
DNS2=114.114.114.114
IPV6_DISABLED=yes
# 生效
nmcli c load /etc/sysconfig/network-scripts/ifcfg-ens224
# 重启网络 2行都执行
systemctl restart NetworkManager.service
nmcli networking off && nmcli networking on
systemctl reload NetworkManager
新的方式¶
新的配置文件,如果需要配置多IP,可以修改此配置文件。
[connection]
id=ens18
uuid=7f49fd62-02d9-323e-8f35-0c8249647a74
type=ethernet
autoconnect-priority=-999
interface-name=ens18
timestamp=1669365850
[ethernet]
[ipv4]
address1=192.168.11.144/24,192.168.11.254
# address2=192.168.11.145/24,192.168.11.254
dns=114.114.114.114;223.6.6.6;
dns-search=rockylinux.cn;rockylinux.org;
method=auto
[ipv6]
addr-gen-mode=eui64
method=disabled
[proxy]
connection 内容
key name description id The alias of con-name, whose value is a string. uuid Universal unique identifier, whose value is a string. type The type of connection, whose values can be ethernet, bluetooth, vpn, vlan, and so on. You can use man nmcli to view all supported types. interface-name The name of the network interface this connection is bound to, whose value is a string. timestamp Unix timestamp, in seconds. The value here is the number of seconds since January 1, 1970. autoconnect Whether it starts automatically when the system starts. The value is of Boolean type. ethernet 内容
key name description mac-address MAC physical address. mtu Maximum Transmission Unit. auto-negotiate Whether to negotiate automatically. The value is Boolean type. duplex The Values can be half (half-duplex), full (full-duplex) speed Specify the transmission rate of the network card. 100 is 100Mbit/s. If auto-negotiate=false, the speed key and duplex key must be set; if auto-negotiate=true, the speed used is the negotiated speed, and the writing here does not take effect (this is only applicable to the BASE-T 802.3 specification); when nonzero, the duplex key must have a value. ipv4 内容
key name description addresses IP addresses assigned gateway Gateway (next hop) for the interface dns Domain Name Servers in use method The method to be obtained by IP. The value is of string type. The value can be: auto, disabled, link-local, manual, shared
如果有多张网卡,建议将不使用的网卡配置为禁用,autoconnect
中的 autoconnect=false
,以免出现路由冲突。
# 重新加载配置文件
nmcli connection reload
# 重启网络生效
systemctl restart NetworkManager
nmcli使用¶
# 重启网卡
nmcli c reload
# 开启网卡
nmcli c up ens160
# 关闭网卡
nmcli c down ens160
# 查看网卡状态
nmcli device status
# 查看所有网卡详细信息
nmcli device show
# 查看ens160网卡详细信息
nmcli device show ens160
# 创建一个动态获取IP的连接,con-name是指创建连接的名称,ifname是指网络接口
nmcli c add type eth con-name ens160 ifname ens66
# 设置网卡自启动
nmcli c modify ens160 connection.autoconnect yes
# 删除连接网卡ens160
nmcli c delete ens160
# 添加/删除一个IP地址和网关
nmcli c modify ens160 +ipv4.address 192.168.0.3/24 #添加ip
nmcli c modify ens160 -ipv4.address 192.168.0.3/24 #删除ip
nmcli c modify ens160 ipv4.gateway 192.168.0.1 #设置网关
# 设置DNS
nmcli c modify ens160 ipv4.dns 8.8.8.8 #添加DNS
nmcli c modify ens160 -ipv4.dns 8.8.8.8 #删除DNS
# 设置IP获取方式
nmcli connection modify ens160 ipv4.method manual #手动设置
nmcli connection modify ens160 ipv4.method auto #DHCP获取
# 重新加载网卡配置文件,每一次修改文件都建议执行
nmcli connection reload
# 立即生效网卡配置,不用重启系统。推荐使用第一个,怎么简单怎么来。
nmcli c up ens160
nmcli device connect ens160
nmcli device reapply ens160
ip命令¶
ip link show # 显示网络接口信息
ip link set eth0 up # 开启网卡
ip link set eth0 down # 关闭网卡
ip link set eth0 promisc on # 开启网卡的混合模式
ip link set eth0 promisc offi # 关闭网卡的混个模式
ip link set eth0 txqueuelen 1200 # 设置网卡队列长度
ip link set eth0 mtu 1400 # 设置网卡最大传输单元
ip addr show # 显示网卡IP信息
ip addr add 192.168.0.1/24 dev eth0 # 设置eth0网卡IP地址192.168.0.1
ip addr del 192.168.0.1/24 dev eth0 # 删除eth0网卡IP地址
ip route show # 显示系统路由
ip route add default via 192.168.1.254 # 设置系统默认路由
ip route list # 查看路由信息
ip route add 192.168.4.0/24 via 192.168.0.254 dev eth0 # 设置192.168.4.0网段的网关为192.168.0.254,数据走eth0接口
ip route add default via 192.168.0.254 dev eth0 # 设置默认网关为192.168.0.254
ip route del 192.168.4.0/24 # 删除192.168.4.0网段的网关
ip route del default # 删除默认路由
ip route delete 192.168.1.0/24 dev eth0 # 删除路由
时间设置¶
timedatectl查看时间各种状态:
timedatectl list-timezones: 列出所有时区
timedatectl set-local-rtc 1 将硬件时钟调整为与本地时钟一致, 0 为设置为 UTC 时间
timedatectl set-timezone Asia/Shanghai 设置系统时区为上海
timedatectl set-ntp true : 设置互联网时间同步
修改/etc/chronyd.conf
登录后复制
server ntp.aliyun.com iburst
#server cn.ntp.org.cn iburst
重启chronyd
systemctl restart chronyd
source chronyd -v
systemctl enable chronyd.service
firewalld¶
# 查看配置
firewall-cmd --list-all
firewall-cmd --list-services #默认开放:ssh dhcpv6-client
firewall-cmd --zone=public --list-services #指定区域进行查看
firewall-cmd --list-ports
firewall-cmd --zone=public --list-ports #指定区域进行查看
# 查看配置保存文件
cat /etc/firewalld/zones/public.xml
# 添加一个 TCP 端口 (删除将 add 关键字修改为 remove)
firewall-cmd --zone=public --add-port=80/tcp --permanent #--permanent 表示永久生效
firewall-cmd --add-port=80/tcp --permanent #与上面是等价的,默认 zone 为 pulic
firewall-cmd --reload #重新加载配置生效
# 关于 zone
firewall-cmd --get-zones #查看所有 zone 的命令,CentOS 7 一共有 9 个 zone
block dmz drop external home internal public trusted work
firewall-cmd --get-zones ##CentOS 8 有 10 个 zone
block dmz drop external home internal libvirt public trusted work
firewall-cmd --get-default-zone #查看默认的 zone 的命令
public
# 添加一个服务
firewall-cmd --add-service=snmp --permanent
firewall-cmd --reload
firewall-cmd --get-services #查看可用的服务
# 限定源地址访问
firewall-cmd --add-rich-rule="rule family="ipv4"source address="192.168.1.0/24"port protocol="tcp"port="3306"accept" --permanent
firewall-cmd --reload
# 添加常见服务
firewall-cmd --add-service=snmp --permanent
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload
# 禁止ping
firewall-cmd --permanent --add-rich-rule='rule protocol value=icmp drop' #全部禁 ping
firewall-cmd --permanent --add-rich-rule='rule family="ipv4"source address="192.168.1.0/24"protocol value="icmp"accept' #指定 192.168.1.0/24 允许 icmp
docker¶
https://www.rockylinux.cn/technical-blog/zai-rocky-linux-9-1-shang-an-zhuang-docker-ce.html
dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
或
dnf config-manager --add-repo=docker-ce.repo
dnf¶
基本使用¶
repolist | 显示系统中可用的 DNF 软件库 |
---|---|
list | 列出全部的软件包名称 |
search <包名> | 搜索软件库中的软件包 |
provides <路径> | 查找某一文件的提供者 |
info <包名> | 查看软件包详情 |
install <包名> | 安装软件包 |
update <包名> | 升级软件包 |
check-update | 检查系统软件包的更新 |
update | 升级所有系统软件包 |
remove | 删除软件包 |
autoremove | 删除无用孤立的软件包 |
clean all | 删除缓存的无用软件包 |
help <命令名> | 获取有关某条命令的使用帮助 |
help | 查看所有的dnf命令及其用途 |
history | 查看dnf命令的执行历史 |
grouplist | 查看所有的软件包组 |
groupinstall <软件包组名称> | 安装一个软件包组 |
groupupdate <软件包组名称> | 升级一个软件包组中的软件包 |
groupremove <软件包组名称> | 删除一个软件包组 |
distro-sync | 更新软件包到最新的稳定发行版 |
reinstall <包名> | 重新安装特定软件包 |
downgrade <包名> | 回滚某个特定软件的版本 |
–version | 查看 DNF 包管理器版本 |
查看 dnf 版本
dnf --version
查看系统中可用的 dnf 软件库
dnf repolist
查看系统中可用和不可用的软件库
dnf repolist all
列出所有RPM包
dnf list
列出已经安装的RPM包
dnf list installed
列出可供安装的RPM包
dnf list available
搜索某包 (以搜索nginx为例)
dnf search nginx
查看某包的详情
dnf info nginx
安装包
dnf install nginx
升级包
dnf update nginx
检查系统软件包更新
dnf check-update
升级系统中所有软件包
dnf update OR dnf upgrade
删除包
dnf remove nginx OR dnf erase nginx
删除无用孤立的软件包
dnf autoremove
删除缓存的无用软件包
dnf clean all
获取有关某条命令的使用帮助
dnf help clean
重新安装特定软件包
dnf reinstall nginx
回滚某个特定软件的版本
dnf downgrade nginx
moduler¶
CentOS 8的 dnf 新增了的一个moduler 功能,中文译意的意思是模块流(大致如下),该功能主要用于切换不同版本的软件,其主要用于快速替换升级当前使用软件版本。
CentOS 8 中的dnf module 也是用于实现类似功能的,例如切换php、nginx、nodejx等软件版本的,后续CentOS8还会推出更多module的(这些module大部分集中在 AppStream软件库中)。 同时已经有部分第三方软件库支持该功能了,例如,remi 这个第三方源(repo下载:CentOS8 yum/dnf 配置)
dnf [OPTIONS] module [COMMAND] [MODULE-SPEC]
OPTIONS:
详情查询 dnf(8) 的 man 帮助文档
COMMAND:
enable 启用模块
info 查询模块信息
remove 卸载模块
provides 查询模块的提供软件库信息
list 查询模块的详细信息
update 更新模块
install 安装模块
reset 重置模块
disable 禁用模块
MODULE-SPEC:
Name[:Stream[/Profiles]] 模块名称[:流[/配置]]
apache¶
编译安装 https://www.golinuxcloud.com/rocky-linux-install-apache-from-source-code/
https://rhel.pkgs.org/8/raven-modular-x86_64/httpd-2.4.54-1.el8.x86_64.rpm.html
开始安装http之前使用 dnf list 命令确认安装的httpd版本
$ dnf list | grep httpd
httpd.x86_64 2.4.53-7.el9 @appstream
httpd-core.x86_64 2.4.53-7.el9 @appstream
httpd-devel.x86_64 2.4.53-7.el9 @appstream
httpd-filesystem.noarch 2.4.53-7.el9 @appstream
httpd-manual.noarch 2.4.53-7.el9 @appstream
httpd-tools.x86_64 2.4.53-7.el9 @appstream
rocky-logos-httpd.noarch 90.13-1.el9 @appstream
keycloak-httpd-client-install.noarch 1.1-10.el9 appstream
libmicrohttpd.i686 1:0.9.72-4.el9 appstream
libmicrohttpd.x86_64 1:0.9.72-4.el9 appstream
python3-keycloak-httpd-client-install.noarch 1.1-10.el9 appstream
安装包 | 内容 |
---|---|
httpd | httpd本体 |
httpd-devel | http开发工具,模块等 |
httpd-filesystem | Apache http的基本目录布局 |
httpd-manual | httpd手册 |
# 安装
$ dnf install -y httpd httpd-tools httpd-devel httpd-manual
# 查看版本
dnf list --installed |grep httpd
# 确认配置文件
apachectl configtest
# 启动服务
systemctl start httpd
# 设置防火墙
firewall-cmd --add-service=http --zone=public --permanent
firewall-cmd --reload
mariadb¶
https://mariadb.org/mariadb/all-releases/
https://juejin.cn/post/6981856163339960327
https://www.xiaoyuanjiu.com/108366.html
如何在 Rocky Linux 8 上安装 MariaDB 10.6
安装¶
# 版本 10.5.16
$ dnf install mariadb-server
$ systemctl start mariadb
安装后初次配置¶
$ mysql_secure_installation // 注意要使用管理员权限执行
首先提示输入数据库 root 用户密码
Enter current password for root (enter for none):<–初次运行直接回车
设置密码
Set root password? [Y/n] <– 是否设置root用户密码,输入y并回车或直接回车
New password: <– 设置root用户的密码
Re-enter new password: <– 再输入设置的密码
其它配置
Remove anonymous users? [Y/n] <– 是否删除匿名用户
Disallow root login remotely? [Y/n] <–是否禁止root远程登录
Remove test database and access to it? [Y/n] <– 是否删除test数据库
Reload privilege tables now? [Y/n] <– 是否重新加载权限表
更改root密码方式2¶
新版本真正起作用的表是mysql.global_priv,而非mysql.user。
# 也可以用下面的方式修改 root 密码:
$ sudo mysql -u root // 直接回车即可,出现下面的文字,即为登录成功
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 13
Server version: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
$ MariaDB [(none)]>
# 然后通过如下步骤修改密码
$ MariaDB [(none)]> use mysql;
# $ MariaDB [mysql]> UPDATE user SET plugin='mysql_native_password' WHERE user='root'; // 身份认证插件
# $ MariaDB [mysql]> UPDATE user SET password=PASSWORD('你的root的密码') WHERE user='root'; // 设置密码
MariaDB [mysql]> ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("root_password")
$ MariaDB [mysql]> flush privileges; // 刷新配置权限
$ MariaDB [mysql]> exit; // 退出
# 需要注意的是,上述的 SQL 语句结尾一定要加分号
# 然后重启服务
$ systemctl restart mariadb
更改数据库默认位置¶
$ mkdir /data/mysql
$ chown mysql:mysql -R /data/mysql/
# 修改配置文件
$ vim /etc/my.cnf
# 重启mariadb
$ systemctl restart mariadb.service
/etc/my.cnf
#
# This group is read both both by the client and the server
# use it for options that affect everything
#
[client-server]
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
[mysqld]
character-set-server=utf8
datadir=/data/mysql
/home/
/root
和 /run/user
。否则报错 Can't create test file '/home/mariadb/localhost.lower-test' (Errcode: 13 "Permission denied")
。其由 mariadb.service
中的 ProtectHome
决定,如果要使用 /home
目录,可以做如下修改,然后重新启动。 # Prevent accessing /home, /root and /run/user
ProtectHome=false # true default
数据库备份¶
备份
for f in `ls mysqldb_a*`;do
for i in `cat ${f}`;do
#echo $i;
mysqldump -u username -p password ${i} > backdb_${i}.sql &
done
wait
done
#/bin/bash
#fun create database
mysqluser=root
mysqlpass=password
mysqlcent="mysql -u $mysqluser -p$mysqlpass"
dabasename=`cat mysqldb_list`
pref="backdb_"
for data in $dabasename
do
#echo "$mysqlcent -e "use $data " && $mysqlcent -e " source db_sql/${pref}${data}.sql "" #恢复数据
#$mysqlcent -e "use $data " && $mysqlcent -e " source db_sql/${pref}${data}.sql " #恢复数据
$mysqlcent -D$data < db_sql/${pref}${data}.sql #恢复数据
done
PHP¶
基本安装
$ dnf install php php-fpm php-mysqlnd php-opcache php-gd php-ldap php-odbc php-pear php-xml php-mbstring php-snmp php-soap
$ systemctl start php-fpm
$ systemctl enable php-fpm
# 安裝及設定好 PHP 後需要重新啟動 Apache 才會生效:
$ systemctl restart httpd
Privoxy代理¶
使用ssh起个本地的sock5代理
$ ssh -fN -D 1091 -p 12345 username@192.168.1.100
$ wget https://rpmfind.net/linux/epel/9/Everything/x86_64/Packages/p/privoxy-3.0.33-2.el9.x86_64.rpm
$ rpm -ivh privoxy-3.0.33-2.el9.x86_64.rpm
查看 /etc/privoxy/config
文件
先搜索关键字 listen-address
找到 listen-address 127.0.0.1:8118
这一句,保证这一句没有注释,8118就是将来http代理要输入的端口。
然后搜索 forward-socks5t
, 将 #forward-socks5t / 127.0.0.1:1091 .
此句前面的注释去掉, 意思是转发流量到本地的1091端口, 而1091端口正是 sock5 监听的端口。
启动privoxy
$ systemctl restart privoxy
$ systemctl enable privoxy
转发配置,在当前 session 执行
export http_proxy=http://127.0.0.1:8118
export https_proxy=http://127.0.0.1:8118
# 直接 pip install shadowsocks 会报错 method aes-256-gcm not supported
$ pip install https://github.com/shadowsocks/shadowsocks/archive/master.zip -U
# 写入配置文件,写入json文件中时,去掉注释否则报错
$ cat /etc/shadowsocks-client.json
{
"server":"your_server_ip", #ss服务器IP
"server_port":your_server_port, #端口
"local_address": "127.0.0.1", #本地ip
"local_port":1080, #本地端口
"password":"your_server_passwd", #连接ss密码
"timeout":300, #等待超时
"method":"aes-256-gcm", #加密方式
"fast_open": false, # true 或 false。如果你的服务器 Linux 内核在3.7+,可以开启 fast_open 以降低延迟。开启方法: echo 3 > /proc/sys/net/ipv4/tcp_fastopen 开启之后,将 fast_open 的配置设置为 true 即可
"workers": 1 # 工作线程数
}
$ nohup sslocal -c /etc/shadowsocks-client.json /dev/null 2>&1 &
docker¶
# 添加Docker Repo
dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
# 更新源
dnf update
# 安装Docker
dnf install -y docker-ce
# 启动Docker服务
sudo systemctl start docker && sudo systemctl status docker
# 设置开机自启动
sudo systemctl enable docker
# 建议添加普通用户至Docker组,并以普通用户运行Docker。
sudo usermod -aG docker $USER
# 生效组用户变更配置
newgrp docker
# 测试
$ docker pull alpine
$ docker run -it alpine /bin/sh
/ # ping www.baidu.com
PING www.baidu.com (182.61.200.7): 56 data bytes
64 bytes from 182.61.200.7: seq=0 ttl=47 time=24.300 ms
64 bytes from 182.61.200.7: seq=1 ttl=47 time=23.994 ms
$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
$ systemctl daemon-reload
$ systemctl restart docker
LVM¶
LVM相关基础
Physical Extend:PE
PE就像是我们前面所说的磁盘的BLOCK,而这个的大小同样会影响到VG的大小。
Physical Volume:PV
我们还记得在分区的时候,把分区转换类型里面有个LVM的标识(8e)不,我们要做LVM,就必需先把这里的分区类型转换成8e。然后再用pvcreate将分区转换成PV,这一步是下一步的前提。
Volume Group:VG
所谓的VG,就是把多个PV组合成一个更大的磁盘,这就是VG。
Logical Volume:LV
我们要想使用VG,就必需把VG分成LV,这个LV你可以看作是分区了,当然分区后需要格式化才能挂载使用。
基本使用
# 创建PV
pvcreate /dev/sda
# #创建VG
vgcreate data /dev/sda
# #创建LV # -i 2 -I 64 条带化选项,-i 指定跨PV的个数 . -I 指定条带单元的大小,条带单元(stripe size):即条带单元的大小,对应于I/O中数据单元块的大小;数值必须为2的幂,单位KB
lvcreate -n lv-data -L 50T data
# #格式化LV
mkfs.xfs /dev/data/lv-data
# 挂载LV
mount /dev/data/lv-data /disk2/
其它操作
# 删除LV
lvremove /dev/data/lv-data
# vg更名
vgrename /dev/vg1 /dev/vg2
# 增加LV大小
# 查看还有多少剩余VG
vgdisplay
# 将root这个LV扩大到400GB
lvextend -L 400G /dev/centos/root
# 生效,若是ext4用 resize2fs /dev/mapper/centos-root
xfs_growfs /dev/mapper/centos-root
NIS¶
Rocky9 放弃了对NIS的官方支持,没有相关的RPM包放出,故此需要自行编译 NIS 相关的包。从 Rocky8 开始使用 authselect 工具代替了 authconfig 来管理系统授权,Rocky9 默认的 authselect 没有对 NIS 的支持,因此也需要重新编译安装支持 NIS 的 authselect。这里有编译好的 RPM 包,也可以根据本文档自行编译打包。
编译好的 RPM 包,可直接下载使用
authselect-1.2.6-2.el9.x86_64.rpm
authselect-libs-1.2.6-2.el9.x86_64.rpm
yp-tools-4.2.3-2.el9.x86_64.rpm
包含启用了 cracklib
进行密码验证的 yppasswd
的 yp-tools RPM包。
yp-tools-cracklib1-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib
编译选项
yp-tools-cracklib2-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib-strict
编译选项
也可以根据下面的文档自行编译rpm包
ypserv¶
$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/ypserv-4.1-1.el8.src.rpm
$ rpm -Uvh ypserv-4.1-1.el8.src.rpm
$ git clone https://github.com/thkukuk/ypserv
$ cd ypserv
$ git checkout v4.2
$ cd ..
$
$ tar --exclude-vcs --transform 's/ypserv/ypserv-4.2/' -cvzf ypserv-4.2.tar.gz ypserv
$ cp ypserv-4.2.tar.gz rpmbuild/SOURCES/
$ vim rpmbuild/SPECS/ypserv.spec
ypserv.spec
文件 --- rpmbuild/SPECS/ypserv.spec.orig 2022-04-17 10:11:09.000000000 +0900
+++ rpmbuild/SPECS/ypserv.spec 2023-08-22 20:32:33.738889909 +0900
@@ -3,11 +3,11 @@
Summary: The NIS (Network Information Service) server
Url: http://www.linux-nis.org/nis/ypserv/index.html
Name: ypserv
-Version: 4.1
+Version: 4.2
Release: 1%{?dist}
License: GPLv2
Group: System Environment/Daemons
-Source0: https://github.com/thkukuk/%{name}/archive/v%{version}.tar.gz
+Source0: https://github.com/thkukuk/%{name}/archive/v%{version}.tar.gz#/ypserv-%{version}.tar.gz
Source1: ypserv.service
Source2: yppasswdd.service
Source3: ypxfrd.service
$ dnf --enablerepo=devel install tokyocabinet-devel libnsl2-devel libtirpc-devel systemd-devel
$ dnf docbook-style-xsl autoconf automake gcc g++
$ rpmbuild -bb rpmbuild/SPECS/ypserv.spec
$ ls -l rpmbuild/RPMS/x86_64/ypserv-*
-rw-r--r--. 1 root root 154695 Aug 22 20:33 rpmbuild/RPMS/x86_64/ypserv-4.2-1.el9.x86_64.rpm
-rw-r--r--. 1 root root 200012 Aug 22 20:33 rpmbuild/RPMS/x86_64/ypserv-debuginfo-4.2-1.el9.x86_64.rpm
-rw-r--r--. 1 root root 64847 Aug 22 20:33 rpmbuild/RPMS/x86_64/ypserv-debugsource-4.2-1.el9.x86_64.rpm
$
ypbind¶
$ git clone https://github.com/thkukuk/ypbind-mt
$ cd ypbind-mt
$ git checkout v2.7.2
$ cd ..
$ tar --exclude-vcs --transform 's/ypbind-mt/ypbind-mt-2.7.2/' -cvzf ypbind-mt-2.7.2.tar.gz ypbind-mt
$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/ypbind-2.5-2.el8.src.rpm
$ rpm -Uvh ypbind-2.5-2.el8.src.rpm
$ vim rpmbuild/SPECS/ypbind.spec
--- rpmbuild/SPECS/ypbind.spec.orig 2021-04-12 18:07:59.000000000 +0900
+++ rpmbuild/SPECS/ypbind.spec 2022-12-24 16:28:51.346494889 +0900
@@ -1,7 +1,7 @@
Summary: The NIS daemon which binds NIS clients to an NIS domain
Name: ypbind
Epoch: 3
-Version: 2.5
+Version: 2.7.2
Release: 2%{?dist}
License: GPLv2
Group: System Environment/Daemons
@@ -58,7 +58,7 @@
%patch1 -p1 -b .gettextdomain
%patch2 -p1 -b .helpman
#%patch3 -p1 -b .systemdso
-%patch4 -b .gettext_version
+#%patch4 -b .gettext_version
autoreconf -fiv
$ dnf --enablerepo=devel install dbus-glib-devel libnsl2-devel libtirpc-devel systemd-devel gettext-devel
$ ll -h rpmbuild/SOURCES/
$ cp ypbind-mt-2.7.2.tar.gz rpmbuild/SOURCES/
$ rpmbuild -bb rpmbuild/SPECS/ypbind.spec
$ ls -l rpmbuild/RPMS/x86_64/
total 560
-rw-r--r-- 1 root root 53534 Jul 4 18:13 ypbind-2.7.2-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 61058 Jul 4 18:13 ypbind-debuginfo-2.7.2-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 27250 Jul 4 18:13 ypbind-debugsource-2.7.2-2.el9.x86_64.rpm
x86_64.rpm
nss_nis¶
git clone https://github.com/thkukuk/libnss_nis
cd libnss_nis
git checkout v3.2
cd ..
tar --exclude-vcs --transform 's/libnss_nis/libnss_nis-3.2/' -cvzf libnss_nis-3.2.tar.gz libnss_nis
curl -O http://dl.rockylinux.org/pub/rocky/8/BaseOS/source/tree/Packages/n/nss_nis-3.0-8.el8.src.rpm
rpm -Uvh nss_nis-3.0-8.el8.src.rpm
vim rpmbuild/SPECS/nss_nis.spec
@@ -1,11 +1,11 @@
Name: nss_nis
-Version: 3.0
+Version: 3.2
Release: 8%{?dist}
Summary: Name Service Switch (NSS) module using NIS
License: LGPLv2+
Group: System Environment/Base
Url: https://github.com/thkukuk/libnss_nis
-Source: https://github.com/thkukuk/libnss_nis/archive/v%{version}.tar.gz
+Source: https://github.com/thkukuk/libnss_nis/archive/v%{version}.tar.gz#/libnss_nis-%{version}.tar.gz
# https://github.com/systemd/systemd/issues/7074
Source2: nss_nis.conf
$ cp libnss_nis-3.2.tar.gz rpmbuild/SOURCES/
rpmbuild -bb rpmbuild/SPECS/nss_nis.spec
$ dnf install libtool
$ rpmbuild -bb rpmbuild/SPECS/nss_nis.spec
$ ls -l rpmbuild/RPMS/x86_64/
total 708
-rw-r--r-- 1 root root 41641 Jul 4 18:24 nss_nis-3.2-8.el9.x86_64.rpm
-rw-r--r-- 1 root root 77064 Jul 4 18:24 nss_nis-debuginfo-3.2-8.el9.x86_64.rpm
-rw-r--r-- 1 root root 28049 Jul 4 18:24 nss_nis-debugsource-3.2-8.el9.x86_64.rpm
yp-tools¶
使用与Rocky8一致的版本
$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/yp-tools-4.2.3-2.el8.src.rpm
$ rpmbuild --rebuild yp-tools-4.2.3-2.el8.src.rpm
$ ls -l rpmbuild/RPMS/x86_64/
total 912
-rw-r--r-- 1 root root 84059 Jul 4 18:30 yp-tools-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 91355 Jul 4 18:30 yp-tools-debuginfo-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 26818 Jul 4 18:30 yp-tools-debugsource-4.2.3-2.el9.x86_64.rpm
authselect¶
$ curl -O https://dl.rockylinux.org/pub/rocky/9/BaseOS/source/tree/Packages/a/authselect-1.2.6-2.el9.src.rpm
$ rpm -Uvh authselect-1.2.6-2.el9.src.rpm
$ vim rpmbuild/SPECS/authselect.spec
--- rpmbuild/SPECS/authselect.spec.orig 2023-08-23 21:19:48.711224985 +0900
+++ rpmbuild/SPECS/authselect.spec 2023-08-23 21:21:18.656134493 +0900
@@ -16,7 +16,7 @@
Patch0901: 0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch0902: 0902-rhel9-remove-ecryptfs-support.patch
Patch0903: 0903-rhel9-Revert-profiles-add-support-for-resolved.patch
-Patch0904: 0904-rhel9-remove-nis-support.patch
+#Patch0904: 0904-rhel9-remove-nis-support.patch
Patch0905: 0905-rhel9-Revert-yescrypt.patch
%global makedir %{_builddir}/%{name}-%{version}
@@ -153,6 +153,7 @@
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
+%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
@@ -165,6 +166,16 @@
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
+%{_datadir}/authselect/default/nis/dconf-db
+%{_datadir}/authselect/default/nis/dconf-locks
+%{_datadir}/authselect/default/nis/fingerprint-auth
+%{_datadir}/authselect/default/nis/nsswitch.conf
+%{_datadir}/authselect/default/nis/password-auth
+%{_datadir}/authselect/default/nis/postlogin
+%{_datadir}/authselect/default/nis/README
+%{_datadir}/authselect/default/nis/REQUIREMENTS
+%{_datadir}/authselect/default/nis/smartcard-auth
+%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
$ dnf --enablerepo=devel install libcmocka-devel popt-devel po4a python3-devel asciidoc
$ rpmbuild -bb rpmbuild/SPECS/authselect.spec
$ ls -l rpmbuild/RPMS/x86_64/
total 1528
-rw-r--r-- 1 root root 143129 Jul 4 18:48 authselect-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 33191 Jul 4 18:48 authselect-compat-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 38783 Jul 4 18:48 authselect-debuginfo-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 51183 Jul 4 18:48 authselect-debugsource-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 12092 Jul 4 18:48 authselect-devel-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 243801 Jul 4 18:48 authselect-libs-1.2.6-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 97192 Jul 4 18:48 authselect-libs-debuginfo-1.2.6-2.el9.x86_64.rpm
安装配置¶
依赖包
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libnsl2-devel-2.0.0-1.el9.0.1.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libnsl2-2.0.0-1.el9.0.1.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libtirpc-1.3.3-8.el9_4.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/l/libtirpc-devel-1.3.3-8.el9_4.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/t/tokyocabinet-1.4.48-19.el9.x86_64.rpm
$ wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/t/tokyocabinet-devel-1.4.48-19.el9.x86_64.rpm
server¶
软件安装
$ dnf --enablerepo=devel install rpcbind libnsl2-devel tokyocabinet-devel make
$ rpm -ivh nss_nis-3.2-8.el9.x86_64.rpm ypbind-2.7.2-2.el9.x86_64.rpm ypserv-4.2-1.el9.x86_64.rpm yp-tools-4.2.3-2.el9.x86_64.rpm
$ rpm --force -U authselect-1.2.6-2.el9.x86_64.rpm authselect-libs-1.2.6-2.el9.x86_64.rpm
$ ypdomainname hpc.local
$ echo "NISDOMAIN=hpc.local" >> /etc/sysconfig/network
# NIS 作用的网段
$ vim /var/yp/securenets
255.0.0.0 127.0.0.0
255.255.255.0 192.168.10.0
# 写hosts文件,login 为 NIS server,node01 为 client
$ vim /etc/hosts
192.168.10.100 login01
192.168.10.101 login02
192.168.10.12 node01
# 开启相关服务
$ systemctl enable --now rpcbind ypserv yppasswdd nis-domainname
# 更新数据库
$ /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. login is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: login01
next host to add: # Ctrl + D key
The current list of NIS servers looks like this:
login01
Is this correct? [y/n: y] y
.
.
.
# 重启服务
$ systemctl restart rpcbind ypserv yppasswdd
# 测试服务
$ rpcinfo -p localhost
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 60534 status
100024 1 tcp 49581 status
100004 2 udp 978 ypserv
100004 1 udp 978 ypserv
100004 2 tcp 978 ypserv
100004 1 tcp 978 ypserv
100009 1 udp 986 yppasswdd
100009 1 tcp 986 yppasswdd
client¶
安装
$ dnf install libnsl2-devel
$ rpm -ivh ypbind-2.7.2-2.el9.x86_64.rpm yp-tools-4.2.3-2.el9.x86_64.rpm nss_nis-3.2-8.el9.x86_64.rpm
$ rpm --force -U authselect-1.2.6-2.el9.x86_64.rpm authselect-libs-1.2.6-2.el9.x86_64.rpm
# 配置domain
$ ypdomainname hpc.local
$ echo "NISDOMAIN=hpc.local" >> /etc/sysconfig/network
# 配置 server 信息
$ vim /etc/yp.conf
domain hpc.local server login01
# 写hosts文件,login01 为 NIS server,node01 为 client
$ vim /etc/hosts
192.168.10.100 login01
192.168.10.101 login02
192.168.10.12 node01
# 客户端使用NIS
authselect select nis --force
# 启动相关服务
$ systemctl enable --now rpcbind ypbind nis-domainname
# 测试
$ yptest
Test 1: domainname
Configured domainname is "hpc.local"
Test 2: ypbind
...
Test 9: yp_all
username:$6$VlWsBuhCAYme.l6L$8izoH8PxzNR.c8I04Em47mG4djV6wR29OhXAyK/83RwQHLHpzj3SJiKhQ2bNjzAK5E3veD/wVbEOzkqKqQaH81:1000:1000:user:/home/username:/bin/bash
1 tests failed
slave¶
软件安装
$ dnf --enablerepo=devel install rpcbind libnsl2-devel tokyocabinet-devel make
$ rpm -ivh nss_nis-3.2-8.el9.x86_64.rpm ypbind-2.7.2-2.el9.x86_64.rpm ypserv-4.2-1.el9.x86_64.rpm yp-tools-4.2.3-2.el9.x86_64.rpm
$ rpm --force -U authselect-1.2.6-2.el9.x86_64.rpm authselect-libs-1.2.6-2.el9.x86_64.rpm
参考上一小节,将slave节点配置为 NIS client 节点。
# 启动相关服务
$ systemctl enable --now rpcbind ypserv ypxfrd yppasswdd nis-domainname
$ 将 primary 节点的信息同步到 slave 节点
$ /usr/lib64/yp/ypinit -s login01
# 在 primary 节点开启信息推送服务
$ vim /var/yp/Makefile
# line 23 : change
NOPUSH=false
$ /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. dlp.srv.world is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: login01
next host to add: login02 # specify NIS Secondary
next host to add: # Ctrl + D key
The current list of NIS servers looks like this:
dlp.srv.world
yp01.srv.world
Is this correct? [y/n: y] y
...
login01 has been set up as a NIS master server.
Now you can run ypinit -s login01 on all slave server.
在 client 端添加第二个 NIS server。
$ vim /etc/yp.conf
# add NIS Secondary Host to the end
# [domain (NIS domain) server (NIS server)]
domain hpc.local server login01
domain hpc.local server login02
$ systemctl restart rpcbind ypbind
# 查看当前使用的是哪个 NIS server
$ ypwhich
$ login01
ypwhich
的结果一直为 login02
,即 slave 节点,则需要在 slave 节点开一个定时任务,以便定时将 primary 节点的用户信息同步到 slave 节点,否则使用 yppasswd
修改密码会出现无法登录的情况。 # slave 节点设置定时任务,以同步用户信息
$ crontab -e
*/1 * * * * /usr/lib64/yp/ypxfr -h login passwd.byname
*/1 * * * * /usr/lib64/yp/ypxfr -h login passwd.byuid
复杂密码¶
NIS 使用 yppasswd
命令更改密码,默认的 yppasswd
命令只能对输入的密码做比较简单的规则验证,经测试 123456
这种简单密码可以通过验证。
查看 yppasswd
的源码发现,yppasswd
可以使用 cracklib
做密码强度检测,只不过默认编译参数没有开启。
因此只需要添加 --enable-cracklib
编译选项、将 src/yppasswd.c
第56行更改为 #define CRACKLIB_DICTPATH "/usr/lib64/cracklib_dict"
,然后编译安装即可,这里不写具体的编译命令,直接制作RPM安装包。
制作RPM包
$ curl -O http://dl.rockylinux.org/pub/rocky/8/AppStream/source/tree/Packages/y/yp-tools-4.2.3-2.el8.src.rpm
$ rpm -Uvh yp-tools-4.2.3-2.el8.src.rpm
git clone https://github.com/thkukuk/yp-tools
cd yp-tools/
git checkout v4.2.3
cd ..
tar --exclude-vcs --transform 's/yp-tools/yp-tools-4.2.3/' -cvzf yp-tools-4.2.3.tar.gz yp-tools
cp yp-tools-4.2.3.tar.gz rpmbuild/SOURCES/
添加 patch 文件以处理 cracklib_dict
的路径,vim rpmbuild/SOURCES/yp-tools-4.2.3-yppasswd-fix_cracklib_dict_path.patch
--- yp-tools-4.2.3/src/yppasswd.c.orig 2024-07-10 01:38:34.074888652 +0800
+++ yp-tools-4.2.3/src/yppasswd.c 2024-07-10 01:38:50.702889363 +0800
@@ -53,7 +53,7 @@
#ifdef USE_CRACKLIB
#include <crack.h>
#ifndef CRACKLIB_DICTPATH
-#define CRACKLIB_DICTPATH "/usr/lib/cracklib_dict"
+#define CRACKLIB_DICTPATH "/usr/lib64/cracklib_dict"
#endif
#endif
--enable-cracklib
编译选项,vim rpmbuild/SPECS/yp-tools.spec
。如果使用更严格的密码验证规则将--enable-cracklib
替换为 --enable-cracklib-strict
。 --- rpmbuild/SPECS/yp-tools.spec.orig 2022-10-21 05:04:54.000000000 +0800
+++ rpmbuild/SPECS/yp-tools.spec 2024-07-10 01:43:42.410901845 +0800
@@ -10,6 +10,7 @@
Patch3: yp-tools-2.12-adjunct.patch
Patch4: yp-tools-4.2.2-strict-prototypes.patch
Patch5: yp-tools-4.2.3-yppasswd-exclamation_mark.patch
+Patch6: yp-tools-4.2.3-yppasswd-fix_cracklib_dict_path.patch
Url: http://www.linux-nis.org/nis/yp-tools/index.html
BuildRequires: autoconf, automake, gettext-devel, libtool, libtirpc-devel, libnsl2-devel
Requires: ypbind >= 3:2.4-2
@@ -56,7 +57,7 @@
export CFLAGS="$CFLAGS %{optflags} -Wno-cast-function-type"
# If needed the yppasswd can be deprecated by --enable-call-passwd
-%configure --disable-domainname
+%configure --disable-domainname --enable-cracklib
%make_build
# 安装相关的包
$ dnf install cracklib cracklib-dicts
$ wget https://dl.rockylinux.org/pub/rocky/9/CRB/x86_64/os/Packages/c/cracklib-devel-2.9.6-27.el9.x86_64.rpm
$ rpm -ivh cracklib-devel-2.9.6-27.el9.x86_64.rpm
$ rpmbuild -bb rpmbuild/SPECS/yp-tools.spec
$ ls -l rpmbuild/RPMS/x86_64/yp-tools-*
-rw-r--r-- 1 root root 83496 Jul 10 02:14 rpmbuild/RPMS/x86_64/yp-tools-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 90328 Jul 10 02:14 rpmbuild/RPMS/x86_64/yp-tools-debuginfo-4.2.3-2.el9.x86_64.rpm
-rw-r--r-- 1 root root 26747 Jul 10 02:14 rpmbuild/RPMS/x86_64/yp-tools-debugsource-4.2.3-2.el9.x86_64.rpm
安装、测试
# 可能需要安装 cracklib-devel cracklib-dicts
$ yp-tools-4.2.3-2.el9.x86_64.rpm
# 使用 123456,11223344,abcdef 等简单密码无法通过验证
$ yppasswd
Changing NIS account information for tuser on login01.
Please enter old password:
Changing NIS password for tuser on login01.
Please enter new password:
Not a valid password: it is too simplistic/systematic.
Please enter new password:
Not a valid password: it does not contain enough DIFFERENT characters.
Please enter new password:
Not a valid password: it is based on a dictionary word.
Too many tries. Aborted.
Password unchanged.
直接下载使用制作好的 RPM 包
yp-tools-cracklib1-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib
编译选项
yp-tools-cracklib2-4.2.3-2.el9.x86_64.rpm 使用--enable-cracklib-strict
编译选项
出错处理¶
yppasswd
运行报错:Cannot find suitable transport for protocol 'udp'
客户端的
/etc/hosts
没加加入 server 节点的解析
参考¶
https://web.chaperone.jp/w/index.php?NIS/rockylinux9
http://cortex.vis.caltech.edu/~sysadmin/
LDAP¶
http://hpc.ncpgr.cn/paste/35da754cd195
离线环境软件包下载
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/o/openldap-servers-2.6.6-3.el9.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/Packages/o/openldap-clients-2.6.6-3.el9.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/s/sssd-client-2.9.4-6.el9_4.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/s/sssd-ldap-2.9.4-6.el9_4.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/o/oddjob-0.34.7-7.el9.x86_64.rpm
wget https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/o/oddjob-mkhomedir-0.34.7-7.el9.x86_64.rpm
server配置¶
# 安装
$ dnf install dnf-utils epel-release mod_ssl
$ dnf install openldap openldap-servers openldap-clients
$ dnf --enablerepo=epel -y install openldap-servers openldap-clients
$ systemctl enable --now slapd
# slappasswd 生成root密码的哈希
$ slappasswd -h {SSHA} -s admin@123456
{SSHA}EQFnGqcN0G26nZ+WkRxIwFNIFfAAvAGy
# 为 [olcRootPW] 设置密码,使用上面生成的哈希值
$ vim chrootpw.ldif
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}EQFnGqcN0G26nZ+WkRxIwFNIFfAAvAGy
$ ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
# 导入基础schemas
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
# slapadd -n 0 -F /etc/openldap/slapd.d -l /usr/share/openldap-servers/slapd.ldif
# replace to your own domain name for [dc=***,dc=***] section
# specify the password generated above for [olcRootPW] section
$ vim chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=hpc,dc=local" read by * none
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=hpc,dc=local
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=hpc,dc=local
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}D02ve4WwcYNzxbr5pICoBtY0rHFB6Qnx
dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=hpc,dc=local" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=hpc,dc=local" write by * read
# 执行
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
modifying entry "olcDatabase={2}mdb,cn=config"
# 配置文件
vim basedomain.ldif
dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: srv
dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=srv,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=srv,dc=world
objectClass: organizationalUnit
ou: Group
# 执行
$ ldapadd -x -D cn=Manager,dc=hpc,dc=local -W -f basedomain.ldif
Enter LDAP Password:
adding new entry "dc=hpc,dc=local"
adding new entry "cn=Manager,dc=hpc,dc=local"
adding new entry "ou=People,dc=hpc,dc=local"
adding new entry "ou=Group,dc=hpc,dc=local"
$ mkdir /etc/openldap/certs
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/openldap/certs/ldapserver.key -out /etc/openldap/certs/ldapserver.crt -subj "/C=CN/ST=Hubei/L=Wuhan/O=HZAU/OU=HPC/CN=login.hpc.local"
$ chown ldap:ldap /etc/openldap/certs/{ldapserver.crt,ldapserver.key}
#
$ cat mod_ssl.ldif
# create new
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/ldapserver.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldapserver.key
# 执行
$ ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
$ firewall-cmd --add-service={ldap,ldaps}
$ firewall-cmd --runtime-to-permanent
添加 LDAP 用户¶
生成加密的密码
$ slappasswd -s abc@123
{SSHA}ae8jMPcsfEsK+BLAimhEoLcx1mKFyXWt
# create new
# replace the section [dc=***,dc=***] to your own suffix
dn: uid=tuser,ou=People,dc=hpc,dc=local
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Rocky
sn: Linux
userPassword: {SSHA}ae8jMPcsfEsK+BLAimhEoLcx1mKFyXWt
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/tuser
dn: cn=tuser,ou=Group,dc=hpc,dc=local
objectClass: posixGroup
cn: tuser
gidNumber: 1001
memberUid: tuser
$ ldapadd -x -D cn=Manager,dc=hpc,dc=local -W -f add_user.ldif
Enter LDAP Password:
adding new entry "uid=tuser,ou=People,dc=hpc,dc=local"
adding new entry "cn=tuser,ou=Group,dc=hpc,dc=local"
$ ldapdelete -x -W -D 'cn=Manager,dc=hpc,dc=local' "uid=tuser,ou=People,dc=srv,dc=world"
$ ldapdelete -x -W -D 'cn=Manager,dc=hpc,dc=local' "cn=tuser,ou=Group,dc=srv,dc=world"
client 配置¶
# 在线
$ dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
# 离线
$ rpm -ivh openldap-clients-2.6.6-3.el9.x86_64.rpm sssd-client-2.9.4-6.el9_4.x86_64.rpm sssd-ldap-2.9.4-6.el9_4.x86_64.rpm oddjob-mkhomedir-0.34.7-7.el9.x86_64.rpm oddjob-0.34.7-7.el9.x86_64.rpm
# 将认证系统切换为sssd
# for [with-mkhomedir], specify it if you need (create home directory when initial login)
$ authselect select sssd with-mkhomedir --force
Backup stored at /var/lib/authselect/backups/2024-07-03-10-28-32.bHV85D
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
is present and oddjobd service is enabled and active
- systemctl enable --now oddjobd.service
# sssd 配置文件
$ vim /etc/sssd/sssd.conf
# create new
# replace [ldap_uri], [ldap_search_base] to your own environment value
[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
# ldap_uri = ldap://dlp.hpc.local/
# ldap server
ldap_uri = ldap://192.168.10.11
ldap_search_base = dc=hpc,dc=local
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
cache_credentials = True
ldap_tls_reqcert = allow
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
$ chmod 600 /etc/sssd/sssd.conf
$ systemctl restart sssd oddjobd
$ systemctl enable sssd oddjobd
/var/log/sssd/sssd_default.log
出错处理¶
重装
rpm -e openldap-clients-2.6.6-3.el9 openldap-servers-2.6.6-2.el9
rm -rf /etc/openldap/
rm -rf /var/lib/ldap
本站总访问量 次