kerberos server 安装配置

最新推荐文章于 2024-05-21 15:52:34 发布

jinyuxiaoqiang

最新推荐文章于 2024-05-21 15:52:34 发布

阅读量1.9k

点赞数

分类专栏： kerberos

kerberos 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

kerberos安装

联网安装 kerberos

sudo apt-get install krb5-kdc krb5-admin-server    安装

which kinit  查看是否安装成功

一、kerberos配置默认安装路径为 /etc/ker5kdc

1、/etc/krb5.conf 若没有此文件则自己创建

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
default= FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1

[libdefaults]
default_realm = LOCAL.DOMAIN
forwardable = yes
ccache_type = 4
proxiable = true
renew_lifetime = 1d
clockskew = 1000000000
#dns_lookup_kdc = true
#dns_lookup_realm = true

[realms]
LOCAL.DOMAIN = {
    kdc = localhost
    admin_server = localhost
    default_domain = localhost
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN

[login]
krb4_convert = true
krb4_get_tickets = falsey

[kdc] kdc位置

[logging]日志位置

[libdefaults]默认域

[realms] kerberos域，表示KDC所管辖的范围；

如下是最小化配置

[libdefaults]
        default_realm = LOCAL.DOMAIN

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        LOCAL.DOMAIN = {
                kdc = kdc.kerberos.local.domain
                admin_server = kerberos.local.domain
        }

[domain_realm]
        .local.domain = LOCAL.DOMAIN
        local.domain = LOCAL.DOMAIN
[login]
        krb4_convert = true
        krb4_get_tickets = false

2、/etc/krb5kdc/kdc.conf 若没有此文件则自己创建 ( 默认安装路径 /etc/krb5kdc)

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    BOKECC.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 24h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

3、/etc/krb5kdc/kadm5.acl 若没有此文件则自己创建

*/admin@LOCAL.DOMAIN	*
*/*@LOCAL.DOMAIN	c
*@LOCAL.DOMAIN  	c

4、创建 kerberos 数据库

$ /usr/sbin/kdb5_util create -r LOCAL.DOMAIN -s 
或者
$   krb5_newrealm

以上操作出以下提示，创建database的密码（例如123.com）

This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCAL.DOMAIN',
master key name 'K/M@LOCAL.DOMAIN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.

以上操作结束后kadmind krb5kdc 进程自动启动。

/usr/sbin/kadmind -P /var/run/kadmind.pid

/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

Principal 是由三个部分组成：名字（name），实例（instance），REALM（域）。比如一个标准的 Kerberos 的用户是：name/instance@REALM

5、登录 kerberos

$ /usr/sbin/kadmin.local

查看用户

kadmin.local   ： listprincs

默认创建的用户

K/M@LOCAL.DOMAIN
kadmin/admin@LOCAL.DOMAIN
kadmin/hostname@LOCAL.DOMAIN
kadmin/changepw@LOCAL.DOMAIN
krbtgt/LOCAL.DOMAIN@LOCAL.DOMAIN

添加用户

kadmin.local   ： addprinc kadmin/admin@LOCAL.DOMAIN

删除用户

kadmin.local   ： delprinc kadmin/admin@LOCAL.DOMAIN

创建keytable文件生成 kadmin/admin kadmin/changepw 两个用户的 keytab 文件到 krb5kdc 目录

kadmin.local ：ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw

注意：keytab 得与配置文件kdc.conf里面配置一致

添加用户输入密码
addprinc liyq/user@LOCAL.DOMAIN

添加服务器

ank -randkey host/hostname@LOCAL.DOMAIN

生成krb5.keytab

ktadd -k /tmp/hostname.keytab host/hostname@LOCAL.DOMAIN

将上述/tmp/hostname.keytab 文件放到要登录服务器的/etc/下并重命名为krb5.keytab

在要登录服务器的该目录文件下添加用户/root/.k5login

liyq/user@LOCAL.DOMAIN

在跳板机上切换到对应用户下，ssh -vv root@hostname 尝试登录查看。

6、重启krb5kdc和kadmind进程

/usr/sbin/kadmind

/usr/sbin/krb5kdc

7、运行kerberos

$ sudo /usr/sbin/krb5kdc

$ sudo /usr/sbin/kadmind

8、在KDC服务器上测试申请票据，测试票据请求

$ /usr/sbin/kadmin.local

$ kadmin.local: addprinc linlin@LOCAL.DOMAIN

提示创建密码，然后退出

$ su linlin

$ kinit linlin@LOCAL.DOMAIN

$ klist

$ /usr/sbin/kadmin.local

$ kadmin.local: addprinc -randkey hdfs/LL-167@LOCAL.DOMAIN

ktadd -norandkey -k hdfs.keytab hdfs/LL-167

查看自己申请的票据

********************************************************************************

转载注明出处 http://blog.csdn.net/linlinv3/article/details/45171097

jinyuxiaoqiang

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
2
评论
kerberos server 安装配置

kerberos安装联网安装 kerberossudo apt-get install krb5-kdc krb5-admin-server 安装which kinit 查看是否安装成功一、kerberos配置默认安装路径为 /etc/ker5kdc1、/etc/krb5.conf 若没有此文件则自己创建[kdc]profile = /etc/krb5kdc/kdc.conf[...
复制链接

扫一扫