kerberos server 安裝配置

kerberos安裝

聯網安裝 kerberos

sudo apt-get install krb5-kdc krb5-admin-server    安裝

which kinit  查看是否安裝成功

一、kerberos配置   默認安裝路徑爲 /etc/ker5kdc

1、/etc/krb5.conf 若沒有此文件則自己創建

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
default= FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_tgs_enctypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
permitted_enctypes = des3-hmac-sha1

[libdefaults]
default_realm = LOCAL.DOMAIN
forwardable = yes
ccache_type = 4
proxiable = true
renew_lifetime = 1d
clockskew = 1000000000
#dns_lookup_kdc = true
#dns_lookup_realm = true

[realms]
LOCAL.DOMAIN = {
    kdc = localhost
    admin_server = localhost
    default_domain = localhost
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN

[login]
krb4_convert = true
krb4_get_tickets = falsey

[kdc] kdc位置

[logging]日誌位置 

[libdefaults]默認域

[realms]   kerberos域，表示KDC所管轄的範圍；

如下是最小化配置

[libdefaults]
        default_realm = LOCAL.DOMAIN

        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        LOCAL.DOMAIN = {
                kdc = kdc.kerberos.local.domain
                admin_server = kerberos.local.domain
        }

[domain_realm]
        .local.domain = LOCAL.DOMAIN
        local.domain = LOCAL.DOMAIN
[login]
        krb4_convert = true
        krb4_get_tickets = false

2、/etc/krb5kdc/kdc.conf 若沒有此文件則自己創建 ( 默認安裝路徑 /etc/krb5kdc)

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    BOKECC.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 24h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

3、/etc/krb5kdc/kadm5.acl 若沒有此文件則自己創建

*/[email protected]	*
*/*@LOCAL.DOMAIN	c
*@LOCAL.DOMAIN  	c

4、創建 kerberos 數據庫

$ /usr/sbin/kdb5_util create -r LOCAL.DOMAIN -s 
或者
$   krb5_newrealm 

以上操作出以下提示，創建database的密碼（例如123.com）

This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCAL.DOMAIN',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.

以上操作結束後kadmind  krb5kdc 進程自動啓動 。

/usr/sbin/kadmind -P /var/run/kadmind.pid

/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

Principal 是由三個部分組成：名字（name），實例（instance），REALM（域）。比如一個標準的 Kerberos 的用戶是：name/instance@REALM 

5、登錄 kerberos

$ /usr/sbin/kadmin.local   

    查看用戶

kadmin.local   ： listprincs

    默認創建的用戶

 

K/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]

    添加用戶

kadmin.local   ： addprinc kadmin/[email protected]

      刪除用戶

kadmin.local   ： delprinc kadmin/[email protected]

     創建keytable文件  生成 kadmin/admin kadmin/changepw 兩個用戶的 keytab 文件到 krb5kdc 目錄

kadmin.local ：ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw

注意：keytab 得與配置文件kdc.conf裏面配置一致

添加用戶輸入密碼
addprinc liyq/[email protected]

添加服務器

ank -randkey host/[email protected]

生成krb5.keytab

ktadd -k  /tmp/hostname.keytab  host/[email protected]

將上述/tmp/hostname.keytab 文件放到要登錄服務器的/etc/下並重命名爲krb5.keytab

在要登錄服務器的該目錄文件下添加用戶/root/.k5login

liyq/[email protected]

在跳板機上切換到對應用戶下，ssh   -vv root@hostname  嘗試登錄查看。

6、重啓krb5kdc和kadmind進程 

/usr/sbin/kadmind 

/usr/sbin/krb5kdc 

7、運行kerberos

$ sudo /usr/sbin/krb5kdc

$ sudo /usr/sbin/kadmind

8、在KDC服務器上測試申請票據，測試票據請求 

$ /usr/sbin/kadmin.local 

$ kadmin.local: addprinc [email protected]

提示創建密碼，然後退出 

$ su linlin 

$ kinit  [email protected]

$ klist 

$ /usr/sbin/kadmin.local 

$ kadmin.local: addprinc -randkey hdfs/[email protected] 

                           ktadd -norandkey -k hdfs.keytab hdfs/LL-167

查看自己申請的票據 

********************************************************************************

轉載註明出處 http://blog.csdn.net/linlinv3/article/details/45171097