kerberos叢集安裝配置（十）

Kerberos叢集規劃

Kerberos安裝配置

一、安裝KDC server

二、修改配置檔案

1）/etc/krb5.conf

2）/var/kerberos/krb5kdc/kdc.conf

3）/var/kerberos/krb5kdc/kadm5.acl

三、同步/etc/krb5.conf到其他伺服器

四、建立資料庫

五、啟動服務

六、建立Kerberos管理者

七、測試Kerberos

1、安裝KDC server

[[email protected] yum.repos.d]# yum install krb5-server krb5-auth-dialog krb5-libs krb5-workstation krb5-devel –y

[ro[email protected] yum.repos.d]# yum install krb5-workstation krb5-devel –y

[ro[email protected] yum.repos.d]# yum install krb5-workstation krb5-devel –y

2、修改配置檔案

1）/etc/krb5.conf

[[email protected] yum.repos.d]# vi /etc/krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = ZGP.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 renewable = true

[realms]

 ZGP.COM = {

  kdc = cdh1:88

  admin_server = cdh1:749

 }

[domain_realm]

 .zgp.com = ZGP.COM

 zgp.com = ZGP.COM

[kdc]

profile=/var/kerberos/krb5kdc/kdc.conf

2） /var/kerberos/krb5kdc/kdc.conf

[[email protected] krb5kdc]# vi kdc.conf

[kdcdefaults]

 kdc_ports = 88

 kdc_tcp_ports = 88

[realms]

 ZGP.COM = {

  #master_key_type = aes256-cts

  acl_file = /var/kerberos/krb5kdc/kadm5.acl

  dict_file = /usr/share/dict/words

  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

  #supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

  max_life = 24h

  max_renewable_life = 10d

 }

3）/var/kerberos/krb5kdc/kadm5.acl

[[email protected] krb5kdc]# vi kadm5.acl

*/[email protected] *       

3、同步/etc/krb5.conf到其他伺服器

[[email protected] etc]# scp krb5.conf cdh2:/etc

[[email protected] etc]# scp krb5.conf cdh3:/etc

4、建立資料庫

[[email protected] etc]# kdb5_util create -r ZGP.COM –s

[[email protected] html]# cat /dev/sda >> /dev/urandom  《===可以加快速度，随機數的采集

[[email protected] etc]# kdb5_util create -r ZGP.COM -s

Loading random data

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ZGP.COM',

master key name 'K/[email protected]'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:            《====要求輸入密碼，我們這裡是oracle

Re-enter KDC database master key to verify: 

[[email protected] etc]#

檢視建立的資料庫

[[email protected] etc]# cd /var/kerberos/krb5kdc/

[[email protected] krb5kdc]# ll

total 24

-rw------- 1 root root   18 Mar 30 03:52 kadm5.acl

-rw------- 1 root root  606 Mar 30 03:43 kdc.conf

-rw------- 1 root root 8192 Mar 30 04:22 principal

-rw------- 1 root root 8192 Mar 30 04:22 principal.kadm5

-rw------- 1 root root    0 Mar 30 04:22 principal.kadm5.lock

-rw------- 1 root root    0 Mar 30 04:22 principal.ok

[[email protected] krb5kdc]#

5、啟動服務

[[email protected] krb5kdc]# service krb5kdc start

Starting Kerberos 5 KDC: [  OK  ]

[[email protected] krb5kdc]# service kadmin start

Starting Kerberos 5 Admin Server: [  OK  ]

[[email protected] krb5kdc]#

[[email protected] krb5kdc]# chkconfig krb5kdc on

[[email protected] krb5kdc]# chkconfig kadmin on

6、建立Kerberos管理者

[[email protected] krb5kdc]# kadmin.local -q "addprinc root/admin"

Authenticating as principal root/[email protected] with password.

WARNING: no policy specified for root/[email protected]; defaulting to no policy

Enter password for principal "root/[email protected]": 

Re-enter password for principal "root/[email protected]": 

Principal "root/[email protected]" created.

[[email protected] krb5kdc]#

7、測試

[[email protected] krb5kdc]# kadmin

Authenticating as principal root/[email protected] with password.

Password for root/[email protected]: 

kadmin:  ?

kadmin:  list_principals

K/[email protected]

kadmin/[email protected]

kadmin/[email protected]

kadmin/[email protected]

krbtgt/[email protected]

root/[email protected]

kadmin:  add_principal jack

WARNING: no policy specified for [email protected]; defaulting to no policy

Enter password for principal "[email protected]": 

Re-enter password for principal "[email protected]": 

Principal "[email protected]" created.

kadmin:  list_principals

K/[email protected]

[email protected]

kadmin/[email protected]

kadmin/[email protected]

kadmin/[email protected]

krbtgt/[email protected]

root/[email protected]

kadmin:  delete_principal jack

Are you sure you want to delete the principal "[email protected]"? (yes/no): yes

Principal "[email protected]" deleted.

Make sure that you have removed this principal from all ACLs before reusing.

kadmin: 

[[email protected] krb5kdc]# kinit root

kinit: Client not found in Kerberos database while getting initial credentials

[[email protected] krb5kdc]# kinit root/admin

Password for root/[email protected]: 

[[email protected] krb5kdc]# klist -e

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: root/[email protected]

Valid starting     Expires            Service principal

03/30/17 04:41:59  03/31/17 04:41:59  krbtgt/[email protected]

        renew until 04/06/17 04:41:59, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

[[email protected] krb5kdc]# 

[[email protected] krb5kdc]# kdestroy      《===毀滅票據

[[email protected] krb5kdc]# klist -e

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

[[email protected] krb5kdc]#  

[[email protected] krb5kdc]# kinit root/admin

Password for root/[email protected]: 

[[email protected] krb5kdc]# klist 

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: root/[email protected]

Valid starting     Expires            Service principal

03/30/17 04:46:18  03/31/17 04:46:18  krbtgt/[email protected]

        renew until 04/06/17 04:46:18

[[email protected] krb5kdc]# kinit –R               《===更新票據

[[email protected] krb5kdc]# klist 

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: root/[email protected]

Valid starting     Expires            Service principal

03/30/17 04:46:32  03/31/17 04:46:32  krbtgt/[email protected]

        renew until 04/06/17 04:46:18

[[email protected] krb5kdc]#

[[email protected] krb5kdc]# kadmin.local -q "ktadd kadmin/admin"

Authenticating as principal root/[email protected] with password.

Entry for principal kadmin/admin with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal kadmin/admin with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal kadmin/admin with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal kadmin/admin with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal kadmin/admin with kvno 4, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal kadmin/admin with kvno 4, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

[[email protected] krb5kdc]#

[[email protected] krb5kdc]# klist -k /etc/krb5.keytab 

Keytab name: WRFILE:/etc/krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   3 kadmin/[email protected]

   3 kadmin/[email protected]

   3 kadmin/[email protected]

   3 kadmin/[email protected]

   3 kadmin/[email protected]

   3 kadmin/[email protected]

   4 kadmin/[email protected]

   4 kadmin/[email protected]

   4 kadmin/[email protected]

   4 kadmin/[email protected]

   4 kadmin/[email protected]

   4 kadmin/[email protected]

[[email protected] krb5kdc]#