Unit 2 Advanced User Administration

  • 格式:doc
  • 大小:69.00 KB
  • 文档页数:13

Upon completion of this unix, you should be able to:·Access centrally-defined network users wit NIS and LDAP·Define Access Control Lists (ACL s)·Setup filesystem quota s·Understand SELinux basicsNetwork Users·Information about users may be centrally stored and managed on a remote server ·Two types of information must always be provided for each user account ·Account information: UID number, default, default shell, home directory, group memberships, and so on.·Authentication: a way to tell that the password provided no login for an account is correct·NSS-Name Service Switch·getent database [record]·PAM=Pluggable(插入式) Authentication ModuleAuthentication Configuration·system-config-authentication·GUI tool to configure authentication·For text-based tool, use authconfig-tui·Load authconfig-gtk RPM·Supported account information services:·(local files), NIS, LDAP, Hesiod, Winbind(NIST----整合NIS Domain中所有账号资料;LADP----地址平台的账号资料库;Hesiod----高阶资料库;Winbind----可以让windows系统获得Linux的用户资料)·Supported authentication mechanisms:·(NSS), Kerberos, LDAP, SmartCard, SMB, WinbindExample: NIS Configuration·Must install ypbind and portmap RPMs·Run system-config-authentication·Enable NIS to provide User information·Specify NIS server and NIS domain name·Keep default authentication (through NSS)·What does this actually do?·Five text-based configuration files are changed----What does this change? The variable NISDOMAIN is set in /etc/sysconfig/network to the NIS domain’s name, and the domainname command is run to set it. The /etc/yp.conf file has a line added to it which specifies which server to use for that NIS domain. The /etc/nsswitch.conf file is modified to specify the NIS should be used as a source of information for password, shadow, group, and other lookups. The USENIS=yes variable is set in /etc/sysconfig/authconfig.Finally, /etc/pam.d/system-auth-ac is modified so that password change requests for NIS accounts will be sent to the rpc.yppasswdd servicerunning on the NIS master server.·The easiest way to set up a client to use an existing NIS server is to install the portmap and ypbind packages, and run system-config-authentication. Enable NIS. 【若将网络上用于验证用户登录的工作交给其它主机(某一主机)完成,该做如下设置:#vim /etc/nsswitch.conf 找到passwd:shadow:group:若其后都只有files,则表明当用户登录时,系统只会去比对本机资料库里的资料;在3个files后都空一格加“nis”即可,这样一来,当系统找不到本机资料库里的资料时,便会去nis服务器上找】Example: LDAP Configuration·Must install nss_ldap and openldap RPMs·Run system-config-authentication·Enable LDAP to provide User Information·Specify server, the search base DN, and TLS·Enable LDAP to provide Authentication·What does this actually do?·Five text-based configuration files are changed----What do these settings change? The /etc/ldap.conf file is modified to specify the location of your LDAP server, your search base DN, and whether or not TLS is enabled. The /etc/openldap/ldap.conf file is modified with the same information so that command-line OpenLDAP toolsand the automounted can use the same server and base DN. The /etc/nsswitch.conf file is modified to specify that LDAP should be used as a source of information for password, shadow, group, and other lookups. The USERLDAPAUTH=yes and/or USELDAP=yes variable are set in /etc/sysconfig/authconfig.Finally, /etc/pam.d/system-auth-ac is modified so that PAM will try accessing the directory service as your account entry to authenticate access.NIS主要记录的用户信息:password; UID; GID…LDAP主要记录的用户信息:password; UID; GID; phone; Address; E-mail…Filesystem Support (ACL)·Linux does not allow users to chown files·ACLs allow users to share without the risks of chmod 777·Implemented as a mount option·mount -o acl /mountpoint (为了让系统启动时就挂载ACL机制,#vim /etc/fstab,在―/‖所在行的“defaults”后添加“,acl‖→:wq→#mount –o remount /即可)·Set on the filesystem at install time·tune2fs -l/dev/sda1 | grep options·Filesystem created post-install will not have ACLs active by default. This feature can be set with tune2fs -o.Example:·#tune2fs -l /dev/sda5 |grep options·#tune2fs /dev/sda5 -o acl·#tune2fs -l /dev/sda5 |grep optionsAccess Control Lists (ACLs)·Grant rwx access to files and directories for multiple users or groups·getfacl file | directory·setfacl -m u:username:rwx file | directory(m:modify)·setfacl -m g:groupname:rw file | directory·setfacl -x u:username file | directory·setfacl -m d:u:username:rw directory----―d‖ in the ACL means the setting will be the default for file creation·Automatic ACL setting·New files inherit default ACL (if set) from directory·The mv command and the–p option in the cp command preserve ACLsACL的使用Acl可以针对单一用户、单一文件或目录来进行r,w,x的权限的设置,对于需要特殊权限的使用状况非常有帮助如何启动ACL?#mount –o remount, acl /home----让/home目录支持ACL#vi /etc/fstab—编辑--/dev/hda5 /home ext3 defaults,acl 1 2----让/home目录一开机就支持ACLACL设置技巧----getfacl,setfaclGetfacl----查看取得某个文件/目录的ACL权限Setfacl----设置某个文件/目录的ACL权限常见用法:一、针对用户----语法:u:[用户账号列表]:[rwx]例如:#setfacl -m u:xiaofan:rw somefilename二、针对群组来设置----语法:g:[群组名]:[rwx]例如:#setfacl -m g:class1:rw somefilename三、设置默认权限----语法:m:[rwx]例如:#setfacl -m m:rwx somefilename得出的结果是用户和mask的相并最严格四、删除用户、群组的权限----语法:X:例如:#setfacl –x u:xiaofan somefilename五、删除文件所有ACL值---语法:B:例如:#setacl –b somefilename此外,常用的参数有:-m→设置一个ACL权限;-x→取消一个ACL权限;-b→全部的ACL权限都取消;-d→设置默认的ACL权限,仅能针对目录使用Configuration the Quota System·Overview·Implemented within the kernel·Enabled on a per-filesystem basis·Individual policies for groups or users·Limit by the number of blocks or inodes·Implement both soft and hard limits·Initialization·Partition mount options: usrquota, grpquota·Initialize database: quotacheck -cugm /filesystemSetting Quotas for users·Implementation·Start or stop quotas: quotaon, quotaoff·Edit quotas directory: edquota username·From a shell:Setquota username size-soft size-hard num-soft num-hard standalone_partition ·Define prototypical users:edquota -p user1 user2----将user1的quota模拟给user2edquota -t----establish a grace period(建立特权时期,即建立ACL权限模拟对象、模板)Reporting Quota Status·Reporting·User inspection: quota·Quota overviews: repquota·Miscellaneous utilities: warnquota附录:一、rhel4中通过quota软件实现磁盘限额功能二、磁盘限额分为:包括容量限制与文件数目的限制而每种限额又包括软限制与硬限制不仅可以对某个用户做限额,也可对组做限额三、设置磁盘限额的一般步骤:1、Quota#quota [-uvsl] [username]#quota [-gvsl] [groupname]此命令仅仅是用来显示当前某个用户(组)的磁盘配额限值。