kerberos安装测试
博客地址:http://www.fanlegefan.com
文章地址:http://www.fanlegefan.com/archives/kerberosinstall/
服务器列表
| 主机名 | ip | role |
|---|---|---|
| work | 192.168.1.115 | master KDC |
| zuoyeji | 192.168.1.116 | kerberos_client |
在work节点上安装KDC服务器搭建以及配置
yum install krb5-server.x86_64 krb5-libs.x86_64 krb5-workstation.x86_64 krb5
安装完后生成两个文件
/etc/krb5.conf ——>realm
/var/kerberos/krb5kdc/kdc.conf ——>domain.to.realm mappings
配置kdc.conf
[root@work etc]# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
XIAOMI.PRESTO = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
database_name = /var/kerberos/principal
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
- XIAOMI.PRESTO这个是realms,名字可以随便写
- acl_file配置了admin用户的权限,以后会讲到怎么配
配置krb5.conf
[root@work ~]$ vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XIAOMI.PRESTO
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
XIAOMI.PRESTO = {
kdc = xiaobin
admin_server = xiaobin
}
[domain_realm]
.xiaomi.presto = XIAOMI.PRESTO
xiaomi.presto = XIAOMI.PRESTO
初始化Kerberos Databases
[root@work ~]$ kdb5_util create -s -r XIAOMI.PRESTO
Loading random data
Initializing database '/var/kerberos/principal' for realm 'XIAOMI.PRESTO',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
- [-s] 表示生成 stash file ,并在其中存储master server key(krb5kdc)
- [-r] 来指定一个realm name , 当krb5.conf中定义了多个realm时使用
- 当 Kerberos database创建好之后,在 /var/kerberos/ 中可以看到生成的 principal相关文件
[root@work ~]$ ll /var/kerberos/
总用量 28
drwxr-xr-x. 2 root root 4096 7月 21 04:00 krb5kdc
-rw-------. 1 root root 16384 7月 29 23:46 principal
-rw-------. 1 root root 8192 7月 21 03:59 principal.kadm5
-rw-------. 1 root root 0 7月 21 04:00 principal.kadm5.lock
-rw-------. 1 root root 0 7月 29 23:46 principal.ok
添加 database administrator
我们需要为Kerberos database添加administrative principals (即能够管理database的principals)
—— 至少要添加1个principal来使得Kerberos的管理进程“kadmind”能够在网络上与程序kadmin进
行通讯。
[root@work ~]$ kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]":
Re-enter password for principal "admin/[email protected]":
Principal "admin/[email protected]" created.
- 此处设置密码为admin
配置kadm5.acl
在KDC上我们需要编辑acl文件来设置权限,该acl文件的默认路径是
/var/kerberos/krb5kdc/kadm5.acl(也可以在文件kdc.conf中修改)。Kerberos的kadmind
daemon会使用该文件来管理对Kerberos database的访问权限。对于那些可能会对pincipal产生影
响的操作,acl文件也能控制哪些principal能操作哪些其他pricipals。
[root@work]# cat /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
acl_file:标注了admin的用户权限,需要用户自己创建。文件格式是
Kerberos_principal permissions [target_principal] [restrictions]
支持通配符等。最简单的写法是
/[email protected] *
代表名称匹配/[email protected] 都认为是admin,权限是 *。代表全部权限。
测试启动 Kerberos daemons
krb5kdc启动
service krb5kdc start
正在启动 Kerberos 5 KDC: [确定]
kadmin启动
service kadmin start
正在启动 Kerberos 5 Admin Server: [确定]
注意:启动krb5kdc和kadmin的时候如果报错,尝试使用service krb5kdc start 这种方式
设置开机启动
chkconfig krb5kdc on
chkconfig kadmin on
查看进程
[root@work]# netstat -anpl|grep kadmin
tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 1111/kadmind
tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 1111/kadmind
tcp 0 0 :::749 :::* LISTEN 1111/kadmind
tcp 0 0 :::464 :::* LISTEN 1111/kadmind
udp 0 0 0.0.0.0:464 0.0.0.0:* 1111/kadmind
udp 0 0 fe80::a00:27ff:fe4b:4faa:464 :::* 1111/kadmind
[root@work]# netstat -anpl|grep kdc
tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 1102/krb5kdc
tcp 0 0 :::88 :::* LISTEN 1102/krb5kdc
udp 0 0 0.0.0.0:88 0.0.0.0:* 1102/krb5kdc
udp 0 0 fe80::a00:27ff:fe4b:4faa:88 :::* 1102/krb5kdc
查看日志
[root@work]# tail -10f /var/log/krb5kdc.log
在zuoyeji节点上配置Kerberos_client,并将master上的krb5.conf 覆盖client本地的/etc/krb5.conf文件
[root@zuoyeji ~]# yum install krb5-libs.x86_64 krb5-workstation.x86_64 krb5
[root@zuoyeji ~]# scp root@work:/etc/krb5.conf /etc/krb5.conf
kerberos常用操作
登录
- 在master节点上登录(KDC节点),无需密码
[root@work]# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local:
- 在client节点上登录,需要密码
[root@zuoyeji]# kinit admin/admin
Password for admin/[email protected]:
[root@zuoyeji]# kadmin
Authenticating as principal admin/[email protected] with password.
Password for admin/[email protected]:
kadmin: q
[root@zuoyeji]#
注意
- 如果出现报错 kinit: Cannot contact any KDC for realm ‘ATHENA.MIT.EDU’ while getting initial credentials
- 可能因为KDC机器上的火墙
- 可能是hosts文件中没有解析
- 可能是路由配置
- 可能是局域网内ip冲突
对用户增删改查
在管理员的状态下使用 addprinc , delprinc , modprinc , listprincs 命令。使用?可以列出所有的命令。
- 增加用户usertest
kadmin: addprinc usertest
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
- 查看用户
kadmin: list_principals
K/[email protected]
admin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
presto/[email protected]
[email protected]
qun/[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
- 删除用户
kadmin: delprinc usertest
Are you sure you want to delete the principal "[email protected]"? (yes/no): yes
Principal "[email protected]" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
不使用交互窗口进行操作
- 查询用户,需要输入密码
[root@zuoyeji]# kadmin -p admin/admin -q "list_principals"
Authenticating as principal admin/admin with password.
Password for admin/[email protected]:
K/[email protected]
admin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
presto/[email protected]
[email protected]
qun/[email protected]
[email protected]
[email protected]
[email protected]
生成keytab
可以理解为密钥cache。Keytab一般给service使用,这样service在认证自己或者给客户端认证的
时候,不用输入密钥。该文件是加密的,存储在服务器的本地磁盘上。Keytab文件的默认路径
是/etc/krb5.keytab。
kadmin: ktadd [email protected]
Entry for principal [email protected] with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal [email protected] with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal [email protected] with kvno 4, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal [email protected] with kvno 4, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal [email protected] with kvno 4, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal [email protected] with kvno 4, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
- 生成keytab路径:/etc/krb5.keytab
[root@zuoyeji ~]$ ll /etc/krb5.keytab
-rw------- 1 root root 346 7月 30 20:02 /etc/krb5.keytab
查看使用keytab登录
[root@zuoyeji]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 [email protected]
4 [email protected]
4 [email protected]
4 [email protected]
4 [email protected]
4 [email protected]
[root@zuoyeji]# kinit -k -t /etc/krb5.keytab [email protected]
[root@zuoyeji]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/30/17 20:09:12 07/31/17 20:09:12 krbtgt/[email protected]
renew until 07/30/17 20:09:12
注意:
- 防火墙和selinux必须要关闭
- kdc和client的时钟要同步
相关链接
- http://www.cnblogs.com/xiaodf/p/5968178.html
- http://blog.csdn.net/wulantian/article/details/42173023
- http://joshuasabrina.iteye.com/blog/1895281