安装服务器:yum install krb5-server krb5-libs krb5-auth-dialog
修改 /var/kerberos/krb5kdc/kdc.conf, 改 realm 为自己的域
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
YLH.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
修改/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = YLH.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
YLH.COM = {
kdc = 192.168.1.173
admin_server = 192.168.1.173
}
[domain_realm]
.ylh.com = YLH.COM
ylh.com = YLH.COM
创建kerberos数据库:/usr/sbin/kdb5_util create -s -r YLH.COM , 保存登陆密码
添加数据库admin: /usr/sbin/kadmin.local -q "addprinc admin/admin"
为admin授权,将文件/var/kerberos/krb5kdc/kadm5.acl的内容编辑为: */admin@YLH.COM
centos环境需要覆盖Java jce文件$JAVA_HOME/jre/lib/security
启动服务器:
service krb5kdc start
service kadmin start
设置开机开启:
chkconfig krb5kdc on
chkconfig kadmin on
安装客户端:yum install krb5-workstation krb5-libs krb5-auth-dialog
配置这些主机上的/etc/krb5.conf,这个文件的内容与KDC中的文件保持一致即可。
登陆:
在服务器登陆:admin.local 。直接登陆
在客户端登陆: kinit admin/admin 然后输入kadmin命令 。 密码登陆
创建princ: addprinc test/192.168.1.170@YLH.COM
注意:此处设置的principal信息是针对每台机器设置的,name自己设置,后面的host就是访问kdc的机器host切记
生成keytab: xst -k keyname.keytab test/192.168.1.170
通过keytab认证: kinit -kt keyname.keytab test/192.168.1.170
查看当前的认证用户: klist
删除认证缓存:kdestroy
安装kerberos: https://my.oschina.net/u/185335/blog/2963061
kafka sever配置kerberos: https://my.oschina.net/u/185335/blog/2963062
kafka client使用kerberos: https://my.oschina.net/u/185335/blog/2963063