The problem with NFS is that it doesnot have host-based authentication. So NFS is vulnerable to man-in-the-middle attack. By using Kerberos, hosts are required to prove their identity before mounting, instead of blindly assuming that the IP they are connecting to is genuine.
For Kerberos Server configuration, refer to this post.
NOTE: 1) Ensure that DNS Server or '/etc/hosts' file is configured for the network.
2) Ensure that Time Synchronization is configured on all machines in the network.
3) All commands are to be executed as 'root' user.
Consider the following scenario:
Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos KDC: meru.mycompany.com
Kerberos Admin Server: meru.mycompany.com
NFS Server: server3.mycompany.com
NFS Client: server1.mycompany.com
[root@server3 ~]# yum -y install krb5-workstation krb5-libs
2) Edit the file '/etc/krb5.conf'. Make the following changes.
default_realm = MYCOMPANY.COM
[realms]
MYCOMPANY.COM = {
kdc = meru.mycompany.com
admin_server = meru.mycompany.com
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COM
3) Create nfs principal in the kerberos database and extract keys for the nfs server.
[root@server3 ~]# kadmin -p shabbir/admin -w shabbir
kadmin: addprinc -randkey nfs/server3.mycompany.com
kadmin: ktadd nfs/server3.mycompany.com
kadmin: quit
4) View Keytab entry.
[root@server3 ~]# klist -k
5) Edit the file '/etc/exports' and enable kerberos authentication.
/home/shabbir server1.mycompany.com(rw,sec=krb5)
6) Export the dir
[root@server3 ~]# exportfs -avr
7) Start NFS Secure Server and make sure firewall port is open.
[root@server3 ~]# systemctl start nfs-secure-server
[root@server3 ~]# firewall-cmd --zone=public --add-service=nfs --permanent
[root@server3 ~]# firewall-cmd --reload
[root@server1 ~]# yum -y install krb5-workstation krb5-libs
2) Edit the file '/etc/krb5.conf'. Make the following changes.
default_realm = MYCOMPANY.COM
[realms]
MYCOMPANY.COM = {
kdc = meru.mycompany.com
admin_server = meru.mycompany.com
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COM
3) Create nfs principal in the kerberos database and extract keys for the nfs client.
[root@server1 ~]# kadmin -p shabbir/admin -w shabbir
kadmin: addprinc -randkey nfs/server1.mycompany.com
kadmin: ktadd nfs/server1.mycompany.com
kadmin: quit
4) View Keytab entry.
[root@server1 ~]# klist -k
5) Start NFS Secure Service.
[root@server1 ~]# systemctl start nfs-secure
6) Mount the exported dir.
[root@server1 ~]# mount -t nfs4 -o sec=krb5 server3.mycompany.com:/home/shabbir /mnt
7) Login as user 'shabbir' and obtain a ticket. We assume that user principal for 'shabbir' exists in the Kerberos database.
[root@server1 ~]# su - shabbir
[shabbir@server1 ~]$ kinit shabbir
Password for shabbir@MYCOMPANY.COM:
8) View the ticket
[shabbir@server1 ~]$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: shabbir@MYCOMPANY.COM
Valid starting Expires Service principal
06/06/2015 15:16:28 06/07/2015 15:16:28 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
renew until 06/06/2015 15:16:28
9) Access the mounted dir.
[shabbir@server1 ~]$ cd /mnt
[shabbir@server1 ~]$ touch foo123
10) Destroy the ticket.
[shabbir@server1 ~]$ kdestroy
For Kerberos Server configuration, refer to this post.
NOTE: 1) Ensure that DNS Server or '/etc/hosts' file is configured for the network.
2) Ensure that Time Synchronization is configured on all machines in the network.
3) All commands are to be executed as 'root' user.
Consider the following scenario:
Kerberos Realm: MYCOMPANY.COM
DNS Domain Name: mycompany.com
Kerberos KDC: meru.mycompany.com
Kerberos Admin Server: meru.mycompany.com
NFS Server: server3.mycompany.com
NFS Client: server1.mycompany.com
Configure NFS Server (server3.mycompany.com):
1) Install packages.[root@server3 ~]# yum -y install krb5-workstation krb5-libs
2) Edit the file '/etc/krb5.conf'. Make the following changes.
default_realm = MYCOMPANY.COM
[realms]
MYCOMPANY.COM = {
kdc = meru.mycompany.com
admin_server = meru.mycompany.com
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COM
3) Create nfs principal in the kerberos database and extract keys for the nfs server.
[root@server3 ~]# kadmin -p shabbir/admin -w shabbir
kadmin: addprinc -randkey nfs/server3.mycompany.com
kadmin: ktadd nfs/server3.mycompany.com
kadmin: quit
4) View Keytab entry.
[root@server3 ~]# klist -k
5) Edit the file '/etc/exports' and enable kerberos authentication.
/home/shabbir server1.mycompany.com(rw,sec=krb5)
6) Export the dir
[root@server3 ~]# exportfs -avr
7) Start NFS Secure Server and make sure firewall port is open.
[root@server3 ~]# systemctl start nfs-secure-server
[root@server3 ~]# firewall-cmd --zone=public --add-service=nfs --permanent
[root@server3 ~]# firewall-cmd --reload
Configure NFS Client (server1.mycompany.com):
1) Install packages.[root@server1 ~]# yum -y install krb5-workstation krb5-libs
2) Edit the file '/etc/krb5.conf'. Make the following changes.
default_realm = MYCOMPANY.COM
[realms]
MYCOMPANY.COM = {
kdc = meru.mycompany.com
admin_server = meru.mycompany.com
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COM
3) Create nfs principal in the kerberos database and extract keys for the nfs client.
[root@server1 ~]# kadmin -p shabbir/admin -w shabbir
kadmin: addprinc -randkey nfs/server1.mycompany.com
kadmin: ktadd nfs/server1.mycompany.com
kadmin: quit
4) View Keytab entry.
[root@server1 ~]# klist -k
5) Start NFS Secure Service.
[root@server1 ~]# systemctl start nfs-secure
6) Mount the exported dir.
[root@server1 ~]# mount -t nfs4 -o sec=krb5 server3.mycompany.com:/home/shabbir /mnt
7) Login as user 'shabbir' and obtain a ticket. We assume that user principal for 'shabbir' exists in the Kerberos database.
[root@server1 ~]# su - shabbir
[shabbir@server1 ~]$ kinit shabbir
Password for shabbir@MYCOMPANY.COM:
8) View the ticket
[shabbir@server1 ~]$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: shabbir@MYCOMPANY.COM
Valid starting Expires Service principal
06/06/2015 15:16:28 06/07/2015 15:16:28 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
renew until 06/06/2015 15:16:28
9) Access the mounted dir.
[shabbir@server1 ~]$ cd /mnt
[shabbir@server1 ~]$ touch foo123
10) Destroy the ticket.
[shabbir@server1 ~]$ kdestroy
not working
ReplyDeleteSSN FULLZ AVAILABLE
DeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>3$ each with SSN+DOB+DL
>>5$ each for premium fullz (700+ credit score with replacement guarantee)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SQL Injector
Premium Accounts (Netflix, Pornhub, etc)
Paypal Logins
Bitcoin Cracker
SMTP Linux Root
DUMPS with pins track 1 and 2
WU & Bank transfers
Socks, rdp's, vpn
Php mailer
Server I.P's
HQ Emails with passwords
All types of tools & tutorials.. & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
u didn't create kerberos database and not starting kadmin,krb5kdc.service
ReplyDeleteBefore you design the game there are a few things you need to understand when designing games for the phone. Agen Bola
ReplyDeleteHere are some interesting stuff you can do in the GTA univers that you can't get away with in real life: Domino QQ
ReplyDeleteCrownQQ | Domino agent QQ | BandarQ | Domino99 Online Largest
ReplyDeleteWho Is The Agent Bandarq, Domino 99, And The Trusted Online Poker City in Asia comes to all of you with exciting game games and exciting bonuses for all of you
Bonus on CrownQQ:
* Bonus rolling 0.5%, every week
* Refferal Bonus 10% + 10%, lifetime
* Bonus Jackpot, which you can get easily
Featured Games CrownQQ:
* Online Poker
* BandarQ
* Domino99
* Bandar Sakong
* Sakong
* Bandar66
* AduQ
* Sakong
More Info Visit:
Website: AGEN BANDARQ CrownQQ
BBM: 2B382398
FB: AgentCrownqq
Twitter: crown_qq
PERMAINAN ONLINE TERBESAR DI INDONESIA
ReplyDeleteWebsite paling ternama dan paling terpercaya di Asia ^^
Sistem pelayanan 24 Jam Non-Stop bersama dengan CS Berpengalaman respon tercepat :)
Memiliki 9 Jenis game yang sangat digemari oleh seluruh peminat poker / domino
- Adu Q
- Bandar Q
- Bandar Sakong
- Bandar Poker
- Poker
- Domino 99
- Capsa Susun
- BANDAR66 / ADU BALAK
- Perang Baccarat ( GAME TERBARU )
Permainan Judi online yang menggunakan uang asli dan mendapatkan uang asli ^^
* Minimal Deposit : 20.000
* Minimal Withdraw : 20.000
* Deposit dan Withdraw 24 jam Non stop ( Kecuali Bank offline / gangguan )
* Bonus REFFERAL 15 % Seumur hidup tanpa syarat
* Bonus ROLLINGAN 0.3 % Dibagikan 5 hari 1 kali
* Proses Deposit & Withdraw PALING CEPAT
* Sistem keamanan Terbaru & Terjamin
* Poker Online Terpercaya
* Live chat yang Responsive
* Support lebih banyak bank LOKAL
Contact Us
Website SahabatQQ
WA 1 : +85515769793
WA 2 : +855972076840
LINE : SAHABATQQ
FACEBOOK : SahabatQQ Reborn
TWITTER : SahabatQQ
YM : cs2_sahabatqq@yahoo.com
Kami Siap Melayani anda 24 jam Nonstop
Daftar SahabatQQ
Typesex69
Ranseldunia
Bodyfit45
Cemesahabat
SSN FULLZ AVAILABLE
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>3$ each with SSN+DOB+DL
>>5$ each for premium fullz (700+ credit score with replacement guarantee)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SQL Injector
Premium Accounts (Netflix, Pornhub, etc)
Paypal Logins
Bitcoin Cracker
SMTP Linux Root
DUMPS with pins track 1 and 2
WU & Bank transfers
Socks, rdp's, vpn
Php mailer
Server I.P's
HQ Emails with passwords
All types of tools & tutorials.. & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com