File-Based Storage Lab
1. Export NFS File Systems
In this lab, you use NFS to provide shared storage. The NFS server exports an IP-based NFS share on server1.example.com. The NFS export is mounted on desktop1.example.com.
Reset the
server1.example.comsystem.Become
rooton yourserver1.example.comsystem.[student@server1 ~]$ sudo -i
Become
rooton yourdesktop1.example.comsystem.[student@desktop1 ~]$ sudo -i
Configure an IP-based NFS share on
server1.example.comaccording to the following requirements:The NFS server provides newly created shared directory
/nfsshare.The
/nfsshareNFS export provides read and write access fornfsnobody.
Mount the share on the
/mnt/nfssharemount point ondesktop1.example.compermanently.Configure an IP-based NFS share on
server1.example.comthat provides a newly created shared directory/nfssharefor thedesktop1.example.commachine with read and write access fornfsnobody.Start the NFS service on
server1.example.com.[root@server1 ~]# systemctl start nfs-server
Enable the NFS service to start at boot on
server1.example.com.[root@server1 ~]# systemctl enable nfs-server
Create the directory
/nfsshareto be shared by NFS on theserver1.example.comsystem.[root@server1 ~]# mkdir /nfsshare
Change the ownership on the
/nfsshareto usernfsnobody, so the directory is writable bynfsnobody.[root@server1 ~]# chown nfsnobody /nfsshare
Change the
/etc/exportsconfiguration file onserver1.example.comto share the newly created/nfssharedirectory on thedesktop1.example.comsystem with read and write access.[root@server1 ~]# echo '/nfsshare desktop1.example.com(rw)' >>/etc/exports
Use the
exportfs -rcommand to reload the/etc/exportsconfiguration file onserver1.example.com.[root@server1 ~]# exportfs -r
Configure firewalld to allow access to the NFS service on
server1.example.com.[root@server1 ~]# firewall-cmd --permanent --add-service=nfs
Reload the
firewalldconfiguration to allow access to the NFS service instantly onserver1.example.com.[root@server1 ~]# firewall-cmd --reload
Mount the NFS export from the
server1.example.comsystem on the/mnt/nfssharemount point ondesktop1.example.compermanently.Create the mount point
/mnt/nfsshareon thedesktop1.example.comsystem.[root@desktop1 ~]# mkdir /mnt/nfsshare
Create the required entry in
/etc/fstabto mount the exported NFS share on the newly created/mnt/nfssharedirectory on thedesktop1.example.comsystem permanently.server1.example.com:/nfsshare /mnt/nfsshare nfs defaults 0 0
Mount the exported NFS share on the newly created
/mnt/nfssharedirectory on thedesktop1.example.comsystem and verify the/etc/fstabentry works as expected.[root@desktop1 ~]# mount -a
Verify that the NFS share mounted at
/mnt/nfsshareis writable on the desktop1.example.com system.[root@desktop1 ~]# touch /mnt/nfsshare/test.txt [root@desktop1 ~]# ls -l /mnt/nfsshare total 0 -rw-r--r--. 1 nfsnobody nfsnobody 0 May 8 04:14 test.txt
Unmount
/mnt/nfsshareand remove the entry from/etc/fstab.
2. Protect NFS Exports Lab
In this lab, you use NFS to provide shared storage protected with Kerberos and SELinux.
The NFS server exports a Kerberized NFS share on server1.example.com with SELinux
labels. The NFS export is mounted on desktop1.example.com with krb5p security and SELinux
labels available.
Reset the
server1.example.comsystem.Become
rooton yourserver1.example.comsystem.[student@server1 ~]$ sudo -i
Set up your server system.
[root@server1 ~]# wget -O - http://instructor.example.com/pub/server1-nfssec.sh | bash
Become
rooton yourdesktop1.example.comsystem.[student@desktop1 ~]$ sudo -i
Set up your
desktop1.example.comsystem.[root@desktop1 ~]# wget -O - http://instructor.example.com/pub/desktop1.nfssec.sh | bash
Configure the NFS server on
server1.example.comto meet the following requirements:Share the newly created
/securenfsdirectory onserver1.example.comwith krb5p security.Allow read and write access on the share from the
desktop1.example.comsystem.SELinux labels are exported.
The NFS share is mounted on the
/mnt/securesharedesktop1.example.comwith krb5p security and exported SELinux labels.Preconfigured krb5 keytabs for the
server1.example.comanddesktop1.example.comsystems are available at:
Configure NFS to share the newly created
/securenfsdirectory onserver1.example.comwith krb5p security. Allow read and write access from thedesktop1.example.comsystem. The SELinux labels on the shared directory are exported.Install the keytab provided at http://classroom.example.com/pub/keytabs/server1.keytab on the
server1.example.comsystem.[root@server1 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/server1.keytab
Enable NFS version 4.2 on the
server1.example.comsystem to export the SELinux labels.To do that, change the
RPCNFSDARGS=""line in the/etc/sysconfig/nfsfile to:RPCNFSDARGS="-V 4.2"
Start the
nfs-secure-serverservice on theserver1.example.comsystem.[root@server1 ~]# systemctl restart nfs-secure-server
Enable
nfs-secure-serverto start at system boot onserver1.example.com.[root@server1 ~]# systemctl enable nfs-secure-server
Create the directory
/securenfsonserver1.example.com.[root@server1 ~]# mkdir /securenfs
Add the directory
/securenfsto the/etc/exportsfile to export it with NFS. Enable krb5p security to secure access to the NFS share. Allow read and write access to the exported directory from thedesktop1.example.comsystem.[root@server1 ~]# echo '/securenfs desktop1.example.com(sec=krb5p,rw)' >>/etc/exports
Reload the
/etc/exportsfile on theserver1.example.comsystem.[root@server1 ~]# exportfs -r
Configure
firewalldto allow access to the NFS service onserver1.example.com.[root@server1 ~]# firewall-cmd --permanent --add-service=nfs
Reload the
firewalldconfiguration to allow access to the NFS service instantly onserver1.example.com.[root@server1 ~]# firewall-cmd --reload
Mount the krb5p-secured NFS share permanently on the
/mnt/securesharemount point so that all exported SELinux labels are present on thedesktop1.example.comsystem.Install the keytab provided at http://classroom.example.com/pub/keytabs/desktop1.keytab on the
desktop1.example.comsystem.[root@desktop1 ~]# wget -O /etc/krb5.keytab http://classroom.example.com/pub/keytabs/desktop1.keytab
Start the
nfs-secureservice ondesktop1.example.comto help with negotiating authentication with a Kerberized NFS share.[root@desktop1 ~]# systemctl start nfs-secure
Enable the nfs-secure service to start at system boot on
desktop1.example.com.[root@desktop1 ~]# systemctl enable nfs-secure
Create the mount point
/mnt/secureshareon thedesktop1.example.comsystem.[root@desktop1 ~]# mkdir /mnt/secureshare
Create the entry in the
/etc/fstabfile to mount the/securenfsshare exported by theserver1.example.comsystem on the/mnt/securesharemount point ondesktop1.example.comso that the SELinux labels from the share are shown on the mount point.server1.example.com:/securenfs /mnt/secureshare nfs defaults,v4.2,sec=krb5p 0 0
Mount the exported NFS share on the newly created
/mnt/securesharedirectory on thedesktop1.example.comsystem and verify the/etc/fstabentry works as expected.[root@desktop1 ~]# mount -a
Test the setup with the newly created file
/securenfs/testfile.txtwith the content "Hello World" on theserver1.example.commachine. Set the SELinux context topublic_content_ton the file/securenfs/testfile.txtonserver1.example.com. Change the ownership of the/securenfs/testfile.txtfile toldapuser1:ldapuser1and the permissions to644. Verify that the SELinux context and the permissions are present on the mounted share on thedesktop1.example.comsystem. Verify that userldapuser1has read and write access on the/mnt/secureshare/testfile.txtfile ondesktop1.example.com.Create a new file
/securenfs/testfile.txtwith the content "Hello World" on theserver1.example.commachine.[root@server1 ~]# echo "Hello World" > /securenfs/testfile.txt
Set the SELinux context to
public_content_ton the file/securenfs/testfile.txtonserver1.example.com.[root@server1 ~]# chcon -t public_content_t /securenfs/testfile.txt
Change the ownership of the
/securenfs/testfile.txtfile toldapuser1:ldapuser1onserver1.example.com.[root@server1 ~]# chown ldapuser1:ldapuser1 /securenfs/testfile.txt
Change the permissions of the
/securenfs/testfile.txtfile to644on theserver1.example.comsystem.[root@server1 ~]# chmod 644 /securenfs/testfile.txt
Verify the SELinux context is exported on the
desktop1.example.comsystem and available on the mounted share.[root@desktop1 ~]# ls -Z /mnt/secureshare -rw-r--r--. ldapuser1 ldapuser1 unconfined_u:object_r:public_content_t:s0 testfile.txt
Log in to the
desktop1.example.comsystem asldapuser1with passwordkerberosby using SSH.[root@desktop1 ~]# ssh ldapuser1@desktop1.example.com ... ldapuser1@desktop1.example.com's password: kerberos Creating home directory for ldapuser1
Verify the file
/mnt/secureshare/testfile.txtis writable by the Kerberos-authenticatedldapuser1.[ldapuser1@desktop1 ~]$ echo "I can write" >>/mnt/secureshare/testfile.txt [ldapuser1@desktop1 ~]$ cat /mnt/secureshare/testfile.txt Hello World I can write
Unmount the NFS filesystem and remove the entry from
/etc/fstab[root@desktop1 ~]# umount /mnt/secureshare
[root@desktop1 ~]# vi /etc/fstab
3. Provide SMB File Shares
In this lab, you use SMB to provide shared storage. You share a directory with SMB on server1.example.com according to the given requirements, and then mount it on desktop1.example.com.
Reset the
server1.example.comsystem.Become
rooton yourserver1.example.comsystem.[student@server1 ~]$ sudo -i
Become
rooton yourdesktop1.example.comsystem.[student@desktop1 ~]$ sudo -i
Configure a SMB share on the
server1.example.comsystem according to the following requirements:Share the newly created directory
/smbsharewith SMB.Members of the auxiliary group
marketinghave read and write permissions on the share.All users that are not member of the
marketinggroup have read permission.The Samba server is in the
mycompanyworkgroup and the share name in Samba issmbshare.Create the Samba-only user
brian, who is part of the marketing team, with the passwordredhat.Create the new Samba-only user
robwith the passwordredhat, who is not part of the marketing team.
Deploy the required RPM packages to run the SMB service on
server1.example.com.[root@server1 ~]# yum -y install samba
Create the auxiliary system group
marketingand the/smbsharedirectory onserver1.example.com. Themarketingsystem group owns the/smbsharedirectory. Adjust the permissions on the/smbsharedirectory to have the SGID bit set, and write is prohibited by others. The SELinux context type on the/smbsharedirectory and all newly created files and subdirectories issamba_share_t.Create the auxiliary system group
marketingon theserver1.example.comsystem.[root@server1 ~]# groupadd -r marketing
Create the
/smbsharedirectory onserver1.example.com.[root@server1 ~]# mkdir -p /smbshare
Change the group ownership of the
/smbsharedirectory tomarketingon theserver1.example.comsystem.[root@server1 ~]# chgrp marketing /smbshare
Adjust the permissions on the
/smbsharedirectory to have the SGID bit set, and write is prohibited by others.[root@server1 ~]# chmod 2775 /smbshare
Add the directory
/smbshare, and all files shown as follows, to the SELinux policy as a directory sharing files with SMB by setting its label tosamba_share_t.[root@server1 ~]# semanage fcontext -a -t samba_share_t '/smbshare(/.*)?'
Apply the SELinux rule for the
/smbsharedirectory that was added in the previous step onserver1.example.com.[root@server1 ~]# restorecon -vvFR /smbshare restorecon reset /smbshare context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
Change the
/etc/samba/smb.confconfiguration file onserver1.example.comto reflect the configuration requested.Modify or confirm the following:
[global] ... workgroup = mycompany ... security = user passdb backend = tdbsam
Add a section at the end of the file as follows.
[smbshare] path = /smbshare write list = @marketing
Create the Samba-only user
brian, who is part of the marketing team. The userbrianhas read and write access to thesmbshareSMB share. A new Samba userrobis created, who is not part of the marketing team. The userrobhas read access to thesmbshareSMB share. Both newly added users have the SMB passwordredhat.Install the samba-client RPM package because it contains
smbpasswd.[root@server1 ~]# yum -y install samba-client
Create the system user
brianas a member of the auxiliary groupmarketingonserver1.example.com.[root@server1 ~]# useradd -s /sbin/nologin -G marketing brian
Add the SMB user
brianto Samba. The Samba user is automatically mapped to the local system userbrian.[root@server1 ~]# smbpasswd -a brian New SMB password: redhat Retype new SMB password: redhat Added user brian.
Create the system user
robonserver1.example.com.[root@server1 ~]# useradd -s /sbin/nologin rob
Add the SMB user
robto Samba. The Samba user is automatically mapped to the local system userrob.[root@server1 ~]# smbpasswd -a rob New SMB password: redhat Retype new SMB password: redhat Added user rob.
Start and enable the
smbandnmbservices, and allow access to them through the firewall onserver1.example.com.Start the
smbandnmbservices on theserver1.example.comsystem.[root@server1 ~]# systemctl start smb nmb
Enable the
smbandnmbservices to start at system boot onserver1.example.com.[root@server1 ~]# systemctl enable smb nmb
Configure firewalld to allow access to the SMB service on
server1.example.com.[root@server1 ~]# firewall-cmd --permanent --add-service=samba success
[root@server1 ~]# firewall-cmd --reload success
Verify the newly created SMB share works as expected on the
desktop1.example.comsystem with the created Samba-only usersbrianandrob. The userbrianhas read and write access to thesmbshareSMB share. The userrobhas read access to thesmbshareSMB share.Install the
cifs-utilspackage because it provides themount.cifscommand.[root@desktop1 ~]# yum -y install cifs-utils
Create the mount point
/mnt/brianondesktop1.example.com.[root@desktop1 ~]# mkdir /mnt/brian
Mount the
//server1.example.com/smbshareSamba share temporarily as userbrianon the mount point/mnt/brianon thedesktop1.example.comsystem.[root@desktop1 ~]# mount -o username=brian //server1.example.com/smbshare /mnt/brian Password for brian@//server1.example.com/smbshare: redhat
Verify on
desktop1.example.comthat userbrianhas read and write access to thesmbshareshare provided byserver1.example.combecause he is a member of the marketing auxiliary group.[root@desktop1 ~]# echo "Hello World" >/mnt/brian/brian1.txt [root@desktop1 ~]# cat /mnt/brian/brian1.txt Hello World
Create the mount point
/mnt/robondesktop1.example.com.[root@desktop1 ~]# mkdir /mnt/rob
Mount the
//server1.example.com/smbshareSamba share temporarily as userrobon the mount point/mnt/robon thedesktop1.example.comsystem.[root@desktop1 ~]# mount -o username=rob //server1.example.com/smbshare /mnt/rob Password for rob@//server1.example.com/smbshare: redhat
Verify on
desktop1.example.comthat userrobhas no write permission to thesmbshareSamba share provided by theserver1.example.comsystem.[root@desktop1 ~]# touch /mnt/rob/rob1.txt touch: cannot touch `/mnt/rob/rob1.txt´: Permission denied
Test if read access for Samba user
robworks as expected on the/mnt/robSamba share on thedesktop1.example.comsystem.[root@desktop1 ~]# cat /mnt/rob/brian1.txt Hello World
Unmount the SMB filesystems
[root@desktop1 ~]# umount /mnt/rob /mnt/brian
Do not reset your server1.example.com system. You use it in the next lab. |
4. Perform a multiuser SMB Mount
In this lab, you mount an SMB share provided by server1.example.com on the desktop1.example.com with the multiuser option.
Do not reset the
server1.example.comsystem.Become
rooton yourserver1.example.comsystem.[student@server1 ~]$ sudo -i
Become
rooton yourdesktop1.example.comsystem.[student@desktop1 ~]$ sudo -i
Mount the SMB share
//server1.example.com/smbsharepermanently on thedesktop1.example.comsystem according to the following requirements:The mount point on the
desktop1.example.comsystem is the newly created directory/mnt/multiuser.The SMB share is mounted with a newly created credentials file
/root/smb-multiuser.txt. The credentials used to mount the SMB share are usernamebrianand passwordredhat.The SMB share is mounted with the
multiusermount option enabled.The existing user
brianon thedesktop1.example.comsystem has a corresponding SMB account onserver1.example.com. Associate the system userbrianon thedesktop1.example.comsystem with the SMB userbrianon theserver1.example.comsystem to access the/mnt/multiusermount point. The password forbrianisredhat. Verify that userbrianhas read and write access to the mounted SMB share.The existing user
robon thedesktop1.example.comsystem has a corresponding SMB account onserver1.example.com. Associate the system userrobon thedesktop1.example.comsystem with the SMB userrobon theserver1.example.comsystem to access the/mnt/multiusermount point. The password forrobisredhat. Verify that userrobhas read but no write access to the mounted SMB share.
Install the
cifs-utilsRPM package on thedesktop1.example.comsystem because it contains thecifscredscommand required to store and forward authentication credentials to the Samba server with amultiusermount.[root@desktop1 ~]# yum -y install cifs-utils
Mount the Samba share permanently on the
/mnt/multiusermount point ondesktop1.example.comand authenticate with a credentials file. Mount the Samba share with the credentials of userbrian.Create the mount point
/mnt/multiuserondesktop1.example.com.[root@desktop1 ~]# mkdir /mnt/multiuser
Create the credentials file
/root/smb-multiuser.txtwith the username and password of userbrianon thedesktop1.example.comsystem.[root@desktop1 ~]# echo 'username=brian' >/root/smb-multiuser.txt [root@desktop1 ~]# echo 'password=redhat' >>/root/smb-multiuser.txt
Create the entry in
/etc/fstabto permanently mount the Samba share with themultiuseroption as userbrianon the/mnt/multiusermount point ondesktop1.example.com.//server1.example.com/smbshare /mnt/multiuser cifs credentials=/root/smb-multiuser.txt,multiuser,sec=ntlmssp 0 0
Verify the entry in
/etc/fstabto permanently mount the Samba share ondesktop1.example.comis correct by mounting the share with thefstabentry.[root@desktop1 ~]# mount /mnt/multiuser
Access the SMB
multiusermount/mnt/multiuseras the already existing userbrianondesktop1.example.com. Automatically authenticate to Samba as the corresponding Samba user that exists with the same name onserver1.example.comand has read and write permission on the SMB share.Switch to user
brianon the terminal ondesktop1.example.com.[root@desktop1 ~]# useradd brian [root@desktop1 ~]# su - brian
Try to write to the
/mnt/multiusermount point with userbrianon thedesktop1.example.comsystem.[brian@desktop1 ~]$ touch /mnt/multiuser/testfile.txt touch: cannot touch `test.txt´: Permission denied
Record the Samba credentials for the local user
brianwith thecifscredscommand ondesktop1.example.com.[brian@desktop1 ~]$ cifscreds add server1.example.com Password: redhat
Verify user
brianhas read and write permission on the mount point/mnt/multiuserondesktop1.example.com.[brian@desktop1 ~]$ echo "Multiuser" >/mnt/multiuser/brian2.txt [brian@desktop1 ~]$ cat /mnt/multiuser/brian2.txt Multiuser
Exit the shell on the
desktop1.example.comsystem.[brian@desktop1 ~]$ exit [root@desktop1 ~]#
Access the SMB
multiusermount/mnt/multiuseras the existing userrobondesktop1.example.com. Automatically authenticate to Samba as the corresponding Samba userrobthat exists onserver1.example.comwith the same name and has read permission on the SMB share.Switch to user
robon the terminal. .[root@desktop1 ~]# useradd rob [root@desktop1 ~]# su - rob
Record the Samba credentials for the local user
robwithcifscredsondesktop1.example.com.[rob@desktop1 ~]$ cifscreds add server1.example.com Password: redhat
Verify user
robhas read but no write permission on the mount point/mnt/multiuserondesktop1.example.com.[rob@desktop1 ~]$ echo "Multiuser" >/mnt/multiuser/rob2.txt -bash: /mnt/multiuser/rob2.txt: Permission denied [rob@desktop1 ~]$ cat /mnt/multiuser/brian2.txt Multiuser [rob@desktop1 ~]$ exit
Unmount the SMB filesystem.
[root@desktop1 ~]# umount /mnt/multiuser