快速搭建Kerberos服务端及入门使用
快速搭建Kerberos服务端及入门使用
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
Kerberos是一种网络身份验证协议。它旨在通过使用秘密密钥加密为客户端/服务器应用程序提供强身份验证。麻省理工学院可以免费实施该协议。Kerberos也可用于许多商业产品。
尽管有许多配置参数和设置,但配置一个受Kerberos管理的Hadoop集群还是相当简单的。只要清楚地了解在前面部分中介绍的Kerberos概念,就可以自信地使用Kerberos来保护集群。
总之,Kerberos是解决您的网络安全问题的解决方案。它通过网络提供身份验证和强大加密工具,帮助您保护整个企业的信息系统。kerberos的官方地址:http://web.mit.edu/kerberos/。
一.搭建Kerberos服务器(node101.yinzhengjie.org.cn)
博主推荐阅读:
Kerberos的发布页面:https://kerberos.org/dist/index.html
Kerberos的官方文档:http://web.mit.edu/kerberos/krb5-1.17/doc/index.html
Oracle相关的Kerberos文档:https://docs.oracle.com/cd/E26926_01/html/E25889/intro-1.html#scrolltoc 我们可以从MIT网站上下载最新版本的Kerberos,发布日期为:--,即krb5-1.17.tar.gz。下载下来解压后可以使用编译方式安装,我们这里为了方便操作,就直接使用yum方式安装,一步到位,怎么简单怎么来~
要配置Kerberos身份进行验证,就必须先安装和配置Kerberos。此配置需要在使用Kerberos调整Hadoop集群配置前完成。
首先安装Kerberos软件,这意味着在一个集群节点上安装KDC。然后,在所有集群节点上安装Kerberos客户端。
配置Kerberos意味着配置KDC管理的各个方面,ticket的生命周期等。在此过程中,可以创建域,用户和服务主体,并开始为Kerberos身份验证调整集群配置。 主节点上安装Kerberos的步骤如下所示:
1>.安装KDC 服务器
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-lib krb5-workstation
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
mysql-connectors-community | 2.5 kB ::
mysql-tools-community | 2.5 kB ::
mysql56-community | 2.5 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
mysql-connectors-community/x86_64/primary_db | kB ::
No package krb5-lib available.
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 :1.15.-.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: krb5-libs(x86-) = 1.15.-.el7_6 for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libverto-module-base for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5srv_mit.so.(kadm5srv_mit_11_MIT)(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.-.el7_6.x86_64
mysql-connectors-community/x86_64/filelists_db | kB ::
mysql-tools-community/x86_64/filelists_db | kB ::
mysql56-community/x86_64/filelists_db | kB ::
zabbix/x86_64/filelists_db | kB ::
zabbix-non-supported/x86_64/filelists | B ::
--> Processing Dependency: libkadm5srv_mit.so.()(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.()(64bit) for package: krb5-server-1.15.-.el7_6.x86_64
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
--> Running transaction check
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
---> Package libverto-libevent.x86_64 :0.2.-.el7 will be installed
---> Package words.noarch :3.0-.el7 will be installed
--> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================
Installing:
krb5-server x86_64 1.15.-.el7_6 updates 1.0 M
krb5-workstation x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
libkadm5 x86_64 1.15.-.el7_6 updates k
libverto-libevent x86_64 0.2.-.el7 base 8.9 k
words noarch 3.0-.el7 base 1.4 M
Updating for dependencies:
krb5-libs x86_64 1.15.-.el7_6 updates k Transaction Summary
============================================================================================================================================================================================
Install Packages (+ Dependent packages)
Upgrade ( Dependent package) Total download size: 4.2 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-server-1.15.-.el7_6.x86_64.rpm | 1.0 MB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libverto-libevent-0.2.-.el7.x86_64.rpm | 8.9 kB ::
(/): words-3.0-.el7.noarch.rpm | 1.4 MB ::
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 2.4 MB/s | 4.2 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : words-3.0-.el7.noarch /
Installing : libverto-libevent-0.2.-.el7.x86_64 /
Installing : krb5-server-1.15.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : libverto-libevent-0.2.-.el7.x86_64 /
Verifying : krb5-server-1.15.-.el7_6.x86_64 /
Verifying : words-3.0-.el7.noarch /
Verifying : krb5-libs-1.15.-.el7.x86_64 / Installed:
krb5-server.x86_64 :1.15.-.el7_6 krb5-workstation.x86_64 :1.15.-.el7_6 Dependency Installed:
libkadm5.x86_64 :1.15.-.el7_6 libverto-libevent.x86_64 :0.2.-.el7 words.noarch :3.0-.el7 Dependency Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-lib krb5-workstation
2>.修改KDC的配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports =
kdc_tcp_ports = [realms]
YINZHENGJIE.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
[root@node101.yinzhengjie.org.cn ~]# 以上参数说明:
[kdcdefaults]
该部分包含在此文件中列出的所有通用的配置。
kdc_ports :指定KDC的默认端口。
kdc_tcp_ports :指定KDC的TCP协议默认端口。 [realms]
该部分列出每个领域的配置。
YINZHENGJIE.COM : 是设定的 realms。名字随意,推荐为大写!,但须与/etc/krb5.conf保持一致。Kerberos 可以支持多个 realms,会增加复杂度。大小写敏感。
master_key_type : 默认为禁用,但如果需要256为加密,则可以下载Java加密扩展(JCE)并安装。禁用此参数时,默认使用128位加密。
acl_file : 标注了 admin 的用户权限的文件,若文件不存在,需要用户自己创建。即该参数允许为具有对Kerberos数据库的管理访问权限的UPN指定ACL。
supported_enctypes : 指定此KDC支持的各种加密类型。
admin_keytab : KDC 进行校验的 keytab。
max_life : 该参数指定如果指定为2天。这是票据的最长存活时间。
max_renewable_life : 该参数指定在多长时间内可重获取票据。
dict_file : 该参数指向包含潜在可猜测或可破解密码的文件。
3>.配置KDC服务的权限管理文件
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl #我们指定*/admin@YINZHENGJIE.COM用户为管理员用户!拥有全部权限,注意这个通配符“*”,你懂的。
*/admin@YINZHENGJIE.COM *
[root@node101.yinzhengjie.org.cn ~]# 以上参数说明:
上述参数只有两列,第一列为用户名,第二列为权限分配。文件格式是:Kerberos_principal permissions [target_principal] [restrictions],下面是对上面的文件编写参数说明。
*/admin@YINZHENGJIE.COM :表示以"/admin@YINZHENGJIE.COM"结尾的用户。
* :表示UNP可以执行任何操作,因为权限为所有权限,因此第二个“*”和第一个“*”区别希望大家一定要弄明白哟~
4.修改Kerberos的配置文件信息(包含KDC的位置,Kerberos的admin的realms 等。需要所有使用的Kerberos的机器上的配置文件都同步。)
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YINZHENGJIE.COM
#default_ccache_name = KEYRING:persistent:%{uid} [realms]
YINZHENGJIE.COM = {
kdc = node101.yinzhengjie.org.cn:
admin_server = node101.yinzhengjie.org.cn:
default_domain = YINZHENGJIE.COM
} [domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM [kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]# 以上相关配置参数说明:
[logging]:
Kerberos守护进程的日志记录方式。换句话说,表示 server 端的日志的打印位置。
default :默认的krb5libs.log日志文件存放路径
kdc :默认的krb5kdc.log日志文件存放路径
admin_server :默认的kadmind.log日志文件存放路径 [libdefaults]:
Kerberos使用的默认值,当进行身份验证而未指定Kerberos域时,则使用default_realm参数指定的Kerberos域。即每种连接的默认配置,需要注意以下几个关键的配置:
dns_lookup_realm :DNS查找域名,我们可以理解为DNS的正向解析,该功能我没有去验证过,默认禁用。(我猜测该功能和domain_realm配置有关)
ticket_lifetime :凭证生效的时限,设置为7天。
rdns :我理解是和dns_lookup_realm相反,即反向解析技术,该功能我也没有去验证过,默认禁用即可。(我猜测该功能和domain_realm配置有关)
pkinit_anchors :在KDC中配置pkinit的位置,该参数的具体功能我没有做进一步验证。
default_realm = YINZHENGJIE.COM :设置 Kerberos 应用程序的默认领域。如果您有多个领域,只需向 [realms] 节添加其他的语句。其中YINZHENGJIE.COM可以为任意名字,推荐为大写。必须跟要配置的realm的名称一致。
default_ccache_name: :顾名思义,默认的缓存名称,不推荐使用该参数。
renew_lifetime :凭证最长可以被延期的时限,一般为7天。当凭证过期之后,对安全认证的服务的后续访问则会失败。
forwardable :如果此参数被设置为true,则可以转发票据,这意味着如果具有TGT的用户登陆到远程系统,则KDC可以颁发新的TGT,而不需要用户再次进行身份验证。
renewable :是否允许票据延迟 [realms]:
域特定的信息,例如域的Kerberos服务器的位置。可能有几个,每个域一个。可以为KDC和管理服务器指定一个端口。如果没有配置,则KDC使用端口88,管理服务器使用749。即列举使用的 realm域。
kdc :代表要KDC的位置。格式是 机器:端口
admin_server :代表admin的位置。格式是 机器:端口
default_domain :顾名思义,指定默认的域名。 [domain_realm]:
指定DNS域名和Kerberos域名之间映射关系。指定服务器的FQDN,对应的domain_realm值决定了主机所属的域。
[kdc]:
kdc的配置信息。即指定kdc.conf的位置。
profile :kdc的配置文件路径,默认值下若无文件则需要创建。
5>.初始化KDC数据库
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s #注意,-s选项指定将数据库的主节点密钥存储在文件中,从而可以在每次启动KDC时自动重新生成主节点密钥。记住主密钥,稍后回使用。
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM',
master key name 'K/M@YINZHENGJIE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: #这里需要输入一个管理KDC服务器的密码!千万别忘记了,忘记的话你就只能重新初始化KDC数据库啦!(如果遇到数据库已经存在的提示,可以把/var/kerberos/krb5kdc/目录下的principal的相关文件都删除掉。默认的数据库名字都是principal。可以使用-d指定数据库名字。)
Re-enter KDC database master key to verify:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM',
master key name 'K/M@YINZHENGJIE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File exists while creating database '/var/kerberos/krb5kdc/principal'
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rm -f /var/kerberos/krb5kdc/principal*
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM',
master key name 'K/M@YINZHENGJIE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@node101.yinzhengjie.org.cn ~]#
kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File exists while creating database '/var/kerberos/krb5kdc/principal' #此故障已解决
[root@node101.yinzhengjie.org.cn ~]# ll -a /var/kerberos/krb5kdc/ #当我们创建Kerberos数据库成功后,默认会在该目录下创建以下5个文件,我用粉色的颜色标记出来啦~
total
drwxr-xr-x root root May : .
drwxr-xr-x. root root May : ..
-rw------- root root May : .k5.YINZHENGJIE.COM #存储文件k5.YINZHENGJIE.COM,它默认是隐藏文件哟~
-rw------- root root May : kadm5.acl #定义管理员权限的配置文件
-rw------- root root May : kdc.conf #KDC的主配置文件
-rw------- root root May : principal #Kerberos数据库文件
-rw------- root root May : principal.kadm5 #Kerberos数据库管理文件
-rw------- root root May : principal.kadm5.lock #数据库锁管理文件
-rw------- root root May : principal.ok #Kerberos数据库文件
[root@node101.yinzhengjie.org.cn ~]#
6>.启动KDC服务器
[root@node101.yinzhengjie.org.cn ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
Active: active (running) since Tue -- :: CST; 1s ago
Process: ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=/SUCCESS)
Main PID: (krb5kdc)
CGroup: /system.slice/krb5kdc.service
└─ /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid Apr :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos KDC...
Apr :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos KDC.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc
7>.启动Kerberos服务器
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin
● kadmin.service - Kerberos Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin
● kadmin.service - Kerberos Password-changing and Administration
Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)
Active: active (running) since Tue -- :: CST; 2s ago
Process: ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=/SUCCESS)
Main PID: (kadmind)
CGroup: /system.slice/kadmin.service
└─ /usr/sbin/kadmind -P /var/run/kadmind.pid Apr :: node101.yinzhengjie.org.cn systemd[]: Starting Kerberos Password-changing and Administration...
Apr :: node101.yinzhengjie.org.cn systemd[]: Started Kerberos Password-changing and Administration.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin
8>.KDC 服务器上添加超级管理员账户
[root@node101.yinzhengjie.org.cn ~]# kadmin.local
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
kadmin.local:
kadmin.local: addprinc root/admin #我们为KDC添加一个管理员用户,关于管理员规则我们以及在"/var/kerberos/krb5kdc/kadm5.acl"中定义的。细心的小伙伴发现,我们写的是"root/admin",但是创建用户却显示的是"root@admin@YINZHENGJIE.COM"
WARNING: no policy specified for root/admin@YINZHENGJIE.COM; defaulting to no policy
Enter password for principal "root/admin@YINZHENGJIE.COM":
Re-enter password for principal "root/admin@YINZHENGJIE.COM":
Principal "root/admin@YINZHENGJIE.COM" created.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
root/admin@YINZHENGJIE.COM
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]#
二.搭建Kerberos客户端环境
1>.客户端安装
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-lib krb5-workstation
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB ::
extras | 3.4 kB ::
updates | 3.4 kB ::
zabbix | 2.9 kB ::
zabbix-non-supported | B ::
No package krb5-lib available.
Resolving Dependencies
--> Running transaction check
---> Package krb5-workstation.x86_64 :1.15.-.el7_6 will be installed
--> Processing Dependency: libkadm5(x86-) = 1.15.-.el7_6 for package: krb5-workstation-1.15.-.el7_6.x86_64
--> Processing Dependency: krb5-libs(x86-) = 1.15.-.el7_6 for package: krb5-workstation-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5srv_mit.so.(kadm5srv_mit_11_MIT)(64bit) for package: krb5-workstation-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-workstation-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5srv_mit.so.()(64bit) for package: krb5-workstation-1.15.-.el7_6.x86_64
--> Processing Dependency: libkadm5clnt_mit.so.()(64bit) for package: krb5-workstation-1.15.-.el7_6.x86_64
--> Running transaction check
---> Package krb5-libs.x86_64 :1.15.-.el7 will be updated
---> Package krb5-libs.x86_64 :1.15.-.el7_6 will be an update
---> Package libkadm5.x86_64 :1.15.-.el7_6 will be installed
--> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================
Installing:
krb5-workstation x86_64 1.15.-.el7_6 updates k
Installing for dependencies:
libkadm5 x86_64 1.15.-.el7_6 updates k
Updating for dependencies:
krb5-libs x86_64 1.15.-.el7_6 updates k Transaction Summary
============================================================================================================================================================================================
Install Package (+ Dependent package)
Upgrade ( Dependent package) Total download size: 1.8 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(/): krb5-libs-1.15.-.el7_6.x86_64.rpm | kB ::
(/): libkadm5-1.15.-.el7_6.x86_64.rpm | kB ::
(/): krb5-workstation-1.15.-.el7_6.x86_64.rpm | kB ::
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.1 MB/s | 1.8 MB ::
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : krb5-libs-1.15.-.el7_6.x86_64 /
Installing : libkadm5-1.15.-.el7_6.x86_64 /
Installing : krb5-workstation-1.15.-.el7_6.x86_64 /
Cleanup : krb5-libs-1.15.-.el7.x86_64 /
Verifying : krb5-workstation-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7_6.x86_64 /
Verifying : libkadm5-1.15.-.el7_6.x86_64 /
Verifying : krb5-libs-1.15.-.el7.x86_64 / Installed:
krb5-workstation.x86_64 :1.15.-.el7_6 Dependency Installed:
libkadm5.x86_64 :1.15.-.el7_6 Dependency Updated:
krb5-libs.x86_64 :1.15.-.el7_6 Complete!
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-lib krb5-workstation
2>.将服务端的配置文件拷贝到客户端上
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/
krb5.conf % .2MB/s :
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ssh node103.yinzhengjie.org.cn
Last login: Tue Apr :: from 172.30.1.2
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/ [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YINZHENGJIE.COM
#default_ccache_name = KEYRING:persistent:%{uid} [realms]
YINZHENGJIE.COM = {
kdc = node101.yinzhengjie.org.cn:
admin_server = node101.yinzhengjie.org.cn:
default_domain = YINZHENGJIE.COM
} [domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/
3>. 客户端配置文件和服务段同步后,进行登陆,验证是否可以成功登陆
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit root/admin #我们在当前终端使用root/admin@YINZHENGJIE.COM用户登陆成功啦!
Password for root/admin@YINZHENGJIE.COM:
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
三.Kerberos 一些基本操作命令
1>.使用kadmin.local命令进入本地管理员模式
[root@node101.yinzhengjie.org.cn ~]# kadmin.local
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
kadmin.local:
kadmin.local: ? #输入“?”可以查看命令列表,如下所示所示。
Available kadmin.local requests: add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
rename_principal, renprinc
Rename principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
purgekeys Purge previously retained old keys from a principal
get_strings, getstrs Show string attributes on a principal
set_string, setstr Set a string attribute on a principal
del_string, delstr Delete a string attribute on a principal
list_requests, lr, ? List available requests.
quit, exit, q Exit program.
kadmin.local:
2>. 查看已经存在的凭据
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: listprincs
3>.创建凭据
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local:
kadmin.local: addprinc -randkey hdfs/node101.yinzhengjie.org.cn
WARNING: no policy specified for hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: addprinc -randkey hdfs/node101.yinzhengjie.org.cn #生成随机key的凭据
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
root/master@YINZHENGJIE.COM
kadmin.local:
kadmin.local: addprinc -pw jason/admin
WARNING: no policy specified for jason/admin@YINZHENGJIE.COM; defaulting to no policy
Principal "jason/admin@YINZHENGJIE.COM" created.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
jason/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
root/master@YINZHENGJIE.COM
kadmin.local:
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit jason/admin
Password for jason/admin@YINZHENGJIE.COM:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jason/admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
kadmin.local: addprinc -pw 123456 jason/admin #生成指定key的凭据
4>.删除凭据
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local:
kadmin.local: delprinc hdfs/node101.yinzhengjie.org.cn
Are you sure you want to delete the principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"? (yes/no): yes
Principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: delprinc hdfs/node101.yinzhengjie.org.cn
5>.导出某个用户的keytab证书(使用xst命令或者ktadd命令)
kadmin.local: addprinc -randkey hdfs/node103.yinzhengjie.org.cn
WARNING: no policy specified for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
kadmin.local:
kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab.
kadmin.local:
kadmin.local: ktadd -k /root/node103.keytab
kadmin.local: xst -k /root/node103.keytab-v2 hdfs/node103.yinzhengjie.org.cn
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/node103.keytab-v2.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab-v2.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab-v2.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab-v2.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab-v2.
kadmin.local:
kadmin.local:
kadmin.local: xst -k /root/node103.keytab-v2
[root@node101.yinzhengjie.org.cn ~]# pwd
/root
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total
-rw------- root root May : node103.keytab
-rw------- root root May : node103.keytab-v2
[root@node101.yinzhengjie.org.cn ~]#
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local:
kadmin.local: xst -norandkey -k /root/my.keytab hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/my.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab.
Entry for principal admin/admin@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/my.keytab.
Entry for principal admin/admin@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab.
Entry for principal admin/admin@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab.
Entry for principal admin/admin@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab.
Entry for principal admin/admin@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab.
Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/my.keytab.
Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab.
Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab.
Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab.
Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab.
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total
-rw------- root root May : my.keytab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist -k -e -t my.keytab
Keytab name: FILE:my.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
// :: admin/admin@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: admin/admin@YINZHENGJIE.COM (des3-cbc-sha1)
// :: admin/admin@YINZHENGJIE.COM (arcfour-hmac)
// :: admin/admin@YINZHENGJIE.COM (des-hmac-sha1)
// :: admin/admin@YINZHENGJIE.COM (des-cbc-md5)
// :: kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
kadmin.local: xst -norandkey -k /root/my.keytab hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM #将多个principal生产一个keytab
6>.查看当前客户端认真用户
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
7>.删除当前的认证的缓存
[root@node103.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
8>.认证用户
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: addprinc hdfs/node103.yinzhengjie.org.cn
WARNING: no policy specified for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy
Enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM":
Re-enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM":
Principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" created.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admin/admin@YINZHENGJIE.COM
hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: addprinc hdfs/node103.yinzhengjie.org.cn #创建凭据
kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab.
kadmin.local:
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]# ll
total
-rw------- root root May : node103.keytab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn #导出密钥
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total
-rw------- root root May : node103.keytab
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit -kt node103.keytab hdfs/node103.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit -kt node103.keytab hdfs/node103.yinzhengjie.org.cn #基于密钥的方式进行认证
[root@node101.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdestroy
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdestroy #删除认证缓存
[root@node103.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn
Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM:
kinit: Password incorrect while getting initial credentials
[root@node103.yinzhengjie.org.cn ~]# 遇到上述问题的解决方案(原因:每次生成秘钥文件时,密码可能会进行随机改变,添加"-norandkey"即可解决问题!)
kadmin.local: ktadd -k /root/node103.keytab -norandkey hdfs/node103.yinzhengjie.org.cn
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type aes256-cts-hmac-sha1- added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab.
Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno , encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab.
kadmin.local:
kinit: Password incorrect while getting initial credentials #解决方案
[root@node101.yinzhengjie.org.cn ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn
Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM:
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Valid starting Expires Service principal
// :: // :: krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn #基于密码的方式进行认证
9>.修改Kerberos用户的密码
[root@node101.yinzhengjie.org.cn ~]# kpasswd hdfs/node103.yinzhengjie.org.cn
Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: #输入旧密码
Enter new password: #输入新密码,下面需要再次确认密码
Enter it again:
Password changed.
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local
Authenticating as principal hdfs/admin@YINZHENGJIE.COM with password.
kadmin.local:
kadmin.local:
kadmin.local: change_password hdfs/node103.yinzhengjie.org.cn
Enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM":
Re-enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM":
Password for "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" changed.
kadmin.local:
kadmin.local: change_password hdfs/node103.yinzhengjie.org.cn #上面是基于命令行的方式修改,我们可以在KDC服务器的shell终端进行修改,而且不需要知道原始密码也可以修改哟!
10>.创建凭据并配置其设置密码
[root@node101.yinzhengjie.org.cn ~]# kadmin.local
Authenticating as principal root/admin@YINZHENGJIE.COM with password.
kadmin.local:
kadmin.local: addprinc admim/admin #我们这里为KDC添加一个管理员用户
WARNING: no policy specified for admim/admin@YINZHENGJIE.COM; defaulting to no policy
Enter password for principal "admim/admin@YINZHENGJIE.COM":
Re-enter password for principal "admim/admin@YINZHENGJIE.COM":
Principal "admim/admin@YINZHENGJIE.COM" created.
kadmin.local:
kadmin.local: listprincs
K/M@YINZHENGJIE.COM
admim/admin@YINZHENGJIE.COM
kadmin/admin@YINZHENGJIE.COM
kadmin/changepw@YINZHENGJIE.COM
kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM
krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM
kadmin.local:
kadmin.local: quit
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
kadmin.local: addprinc admim/admin #我们这里为KDC添加一个管理员用户
11>.获取凭据信息
kadmin.local: getprinc hdfs/node103.yinzhengjie.org.cn
Principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM
Expiration date: [never]
Last password change: Sun May :: CST
Password expiration date: [never]
Maximum ticket life: day ::
Maximum renewable life: days ::
Last modified: Sun May :: CST (hdfs/admin@YINZHENGJIE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts:
Number of keys:
Key: vno , aes256-cts-hmac-sha1-
Key: vno , des3-cbc-sha1
Key: vno , arcfour-hmac
Key: vno , des-hmac-sha1
Key: vno , des-cbc-md5
MKey: vno
Attributes:
Policy: [none]
kadmin.local:
kadmin.local: getprinc hdfs/node103.yinzhengjie.org.cn
12>.查看keytab文件中的帐号列表
[root@node101.yinzhengjie.org.cn ~]# klist -ket node103.keytab
Keytab name: FILE:node103.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1)
// :: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5)
[root@node101.yinzhengjie.org.cn ~]#
13>.生成dump文件
[root@node101.yinzhengjie.org.cn ~]# ll
total
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util dump ./slava_data
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total
-rw------- root root May : slava_data
-rw------- root root May : slava_data.dump_ok
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total
-rw------- root root May : slava_data
-rw------- root root May : slava_data.dump_ok
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat slava_data.dump_ok
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat slava_data
kdb5_util load_dump version
princ K/M@YINZHENGJIE.COM 2d23c85c64625f6372656174696f6e4059494e5a48454e474a49452e434f4d00 200027f351dbb024cc9544e87b02c87d86c7d80d0610ae4c59c340a69a04db0781b3d94b5611ed20eb9a5ec2b0dc7e1245fac0cdb87295e9180ef910bb5b -;
princ admin/admin@YINZHENGJIE.COM 12345c010000000000000000000000000000000200000000 6c23c85c726f6f742f61646d696e4059494e5a48454e474a49452e434f4d00 6c23c85c 6220003deb4f098457d84e676bbd3f91278f3cac8306ddf328535c1917bf98690248bc12341cd0a27de4d590fb18f28cb0d226929a4a06a83d244f5a4cbdb5 1800715234ed6f50be5336e4369af0f9cefb9d4f177eda96090b7fbca4b8d3ff07964b2a318cf1a777f1e2e76fa206f2b44258457442 10004a33deeb70728102e822c55f2c42aa304e705780d8fd30b397275bbbebd3abedf187fffb2204855a09735e1b 08001a1fea4a829566f3f23f3cf3db9681920f891798ad5f8644fe5d5b3e1f4f94cd64280273 080046301a43121ee80bc1540d9662f9991322c8b5fb15b630033b1de23d587622bec8b0b966 -;
princ hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM 12345c010000000000000000000000000000000200000000 17bdce5c686466732f61646d696e4059494e5a48454e474a49452e434f4d00 17bdce5c 2000a27914a2893faf324c36d41d92b2b6cc66de57349f76d4e24eb4d3344616b043d2e68124d2d0c6af19d900cabb13f58c4d7285b002a33944f305ed14 180060e43337a724ecfb60790d5d848dfd081c6ba721619b5262c73837ca04a6aa747dcbf861e145d2933107f267bbe8c96590d2b6bc 10009507be719a35300d09a6b197124a3bbba94f6ab14ce177b5783965e2d7ddef85c080b5b865e36893e623fe35 0800b0957be862834546dacdc5bd72e00553cdca26621570054fe2630d92f18d636ea12b59f9 380800f9ff7956e69506992b4dd15ca75cb5e6f8f2cf2a6ccf68829e060e4b2a1f9a4b397a2f75 -;
princ kadmin/admin@YINZHENGJIE.COM 12345c010000000000000000000000000000000200000000 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 2d23c85c 622000a7007154dab2d522e76038c0fb117c56444b59cb94cfd33d4e934e52e365bb0679f098877090409b41146ceb8f79f407eac9dbe16181fe5bff49e269 1800d36c14c38aca14fd2a9961c5f5d330f11a4afb3ccf91b1ef9f4325e285569ede24ec5b3213b3fd5095ba0851946d0e9286cd678d 10005947782c3a6209e40e533ea91de7a3c068af0e9753924f11b8293c77e2699d3521e53d82fe75844696f30781 080044457a47548115f25c4d6d521236b30820d6ee69633836a9e36142759562f52ed4300920 0800be6779e8afe4e3302a888b4f5dcfbe6922a20a47b8369336bf66a0f9d53a7f99ce34c3d5 -;
princ kadmin/changepw@YINZHENGJIE.COM 12345c010000000000000000000000000000000200000000 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 2d23c85c 622000a954e4ff1dcb31de049920a9fb621c387733892be4fc44326511037c316e81e704d241662b8d17f007411181a434d276012e232e012c48c2a25c0801 1800eb302773f9f77e7d4836a8494ad381a66f5dbf300d932d68dfcdcae2ac1522ad9083b779244aa009e15af3532c1057e1ba75e4a4 100062701165f26c72370374182c611eaff199e689884402b210808fdfc68185d5bdd8d2c948a0d7f6d386c5fb4a 08001b482af030d5f5c49d89e87e39fa350d54e48cb0e3c23c7688f02540592fcf0e7c34dbd7 0800968bd1d3bc8a1103da97fead74f72521bca682858e934a26f584cfcec006a74dfa931271 -;
princ kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 12345c010000000000000000000000000000000200000000 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 2d23c85c 20000d1edbb71ba50cfb52191a3f60056b02c6b647b3bddd2365641b5ed274ce75e38226ac815ea7f29f34a3cf7d45457468882556994365aa4567ae8806 18002eaf1945ca01022fbb4395754f019d9e2266437dfd9c525f712f804e0f04d9d2bbdc033adb2bf6e361efb448ddfe2249e9fd748e 100013a087c5e95dcc5127979eb347681f58a972d31bbf5ec3e2397de453c076f3e1d4e27a05f29387bb3e7d6d8a 0800dde3aadd2c399091eb5d462d2ad7d29cb9be02047a80c9d94d2c7914f9595961ee49329c 38080006a3bb181af166f105beb9e78de8aeb55204d7f6aebb79c03d1bb321b59b6e007641479a -;
princ kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 12345c010000000000000000000000000000000200000000 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 2d23c85c 2000d426113b32e7b511f397fdcc7fafc9abc1ce6aada822d4352c2ea710476db41f731043c80dcf04eadd2a607273efa1a3c9b1a111c31b8483aa62d060 180055a62dfe305193d6d0833c897e62e4ea3a36bec996f11e66e4d9bf62d193f1bb1a80151b2e8e18fff121d1698a8d529624956adf 10004205e4b7b21c11bcaedfd6098ff08865d3f18260405c8bf2af9a8b5cb6bc80d871c957e4fce79eb786ed60bd 08004bc251b9b292174671b35654eef34bb63e6375f6f10766819f478e2d1760ece27fa05ec0 380800c71084e06b93c4c9b82d36a93f30fc51baf23b1071382d7ba70eab96d6048921ab43fe55 -;
princ krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM 2d23c85c64625f6372656174696f6e4059494e5a48454e474a49452e434f4d00 2000debfa86947904982fc72598525375374abc4ea880a2a79c20a297cff937e0c6e034dfb5f48494f3f1cf035e117f85dc0062935c0bc0b799bbf4727e0 1800842c873c282cc64415704b50085258d6290d6f3ff101669996698fda83931039a90d963d7a786c796ea8e5c4a3d1b7a438086288 1000cf38c0dbeaec907e938b966f4e8b56aa6c53c2d65ae6ce0977825d3f8cf3d1b536357491e691cd21a62b97e6 080034e54b49e6d927ef9b160c8ef72b7fb98fd12be022b441ddceb99294f86e7e8958a78de5 08004329becd13a3192dcbb6d48216071fc2d504bd109482b5d139b67b2d5247e9b3c228a06d 08005d5ced5cd08fbd6aa8666ffa1b42779c488cbe406734b71ac44117f779a63b0e46f907a7 -;
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat slava_data
14>.
15>.
参考链接:
https://www.cnblogs.com/chwilliam85/p/9679845.html
https://blog.csdn.net/sinat_32176947/article/details/79605499
http://blog.sina.com.cn/s/blog_15d0521760102wxts.html
快速搭建Kerberos服务端及入门使用的更多相关文章
- webservice快速入门-使用JAX-WS注解的方式快速搭建ws服务端和客户端(一)
1.定义接口 package org.WebService.ws.annotation; import javax.jws.WebService; @WebService public interfa ...
- 《用OpenResty搭建高性能服务端》笔记
概要 <用OpenResty搭建高性能服务端>是OpenResty系列课程中的入门课程,主讲人:温铭老师.课程分为10个章节,侧重于OpenResty的基本概念和主要特点的介绍,包括它的指 ...
- OpenResty搭建高性能服务端
OpenResty搭建高性能服务端 Socket编程 Linux Socket编程领域为了处理大量连接请求场景,需要使用非阻塞I/O和复用,select.poll.epoll是Linux API提 ...
- Go语言micro之快速搭建微服务
背景 go-micro给我们提供了一个非常便捷的方式来快速搭建微服务,而且并不需要提前系统了解micro,下面用一个简单的示例来快速实现一个服务. 创建Proto文件 因为我们要做微服务,那么就一定有 ...
- contos7搭建syslog服务端与客户端
搭建中心服务端1,编辑文件/etc/rsyslog.conf,找到以下内容,将前面的#注释符合去除#$ModLoad imtcp#$InputTCPServerRun 514 2,在/etc/rsys ...
- 服务端工程师入门与进阶 Java 版
前言 欢迎加入我们.这是一份针对实习生/毕业生的服务端开发入门与进阶指南.遇到问题及时问你的 mentor 或者直接问我. 建议: 尽量用google查找技术资料. 有问题在stackoverflow ...
- 阿里云ESC搭建SVN服务端
CentOS7)下yum命令快速安装svn服务端,学习在思考中独孤中度过,在孤独中进取! 01.SVN服务的安装(subversion) 02.ESC安全组策略 1.在线安装svn服务 $ sudo ...
- Azure 中快速搭建 FTPS 服务
FTP,FTPS 与 SFTP 的区别 FTP (File Transfer Protocol)是一种常用的文件传输协议,在日常工作中被广泛应用.不过,FTP 协议使用明文传输.如果文件传输发生在公网 ...
- vue.js+koa2项目实战(四)搭建koa2服务端
搭建koa2服务端 安装两个版本的koa 一.版本安装 1.安装 koa1 npm install koa -g 注:必须安装到全局 2.安装 koa2 npm install koa@2 -g 二. ...
随机推荐
- LODOP中无规律无法还原偶尔出现问题排查
一些问题无法还原且偶尔出现,没法通过做例子来展示问题,为了找到问题在哪里,就需要排查定位问题 .由于这些问题偶尔出现,且无规律,出现频率低,所以只能不断通过各种对比测试,定位排查到问题和什么有关.如果 ...
- MinGW离线安装
今天安装下载MinGW-W64-install.exe安装MinGW试了好几次都失败了 因此决定用离线安装包进行安装 1.下载 下载地址https://sourceforge.net/projects ...
- Python (Windows) - ImportError: No module named win32service
ImportError: No module named win32service you have to install pypiwin32
- Oracle Spatial分区应用研究之三:县市省不同分区粒度的效率比较
在<Oracle Spatial分区应用研究之一:分区与分表查询性能对比>中已经说明:按县分区+全局空间索引效率要优于按县分区+本地空间索引,因此在该实验报告中,将不再考虑按县分区+本地空 ...
- TCP/IP学习笔记17--TCP-- 窗口控制 重发控制 流控制
事业无穷年 -- 韩愈 利用窗口控制提高速度: TCP传输数据是,以一个段为单位(每次发送一个数据包),每发一个段需要一次确认应答,这样就难免存在这样的缺点:包的往返时间越长,通信性能就越低. 为解决 ...
- JavaScript原生封装ajax请求和Jquery中的ajax请求
前言:ajax的神奇之处在于JavaScript 可在不重载页面的情况与 Web 服务器交换数据,即在不需要刷新页面的情况下,就可以产生局部刷新的效果.Ajax 在浏览器与 Web 服务器之间使用异步 ...
- LeetCode 946. 验证栈序列(Validate Stack Sequences) 26
946. 验证栈序列 946. Validate Stack Sequences 题目描述 Given two sequences pushed and popped with distinct va ...
- java当中JDBC当中JNDI用来查找dataSource的例子
[学习笔记] 8.JNDI用来查找dataSource的例子: import javax.naming.InitialContext;import javax.naming.Context; impo ...
- spring框架学习(三)——AOP( 面向切面编程)
AOP 即 Aspect Oriented Program 面向切面编程 首先,在面向切面编程的思想里面,把功能分为核心业务功能,和周边功能. 所谓的核心业务,比如登陆,增加数据,删除数据都叫核心业务 ...
- mybatis 多个中间表查询映射
最近项目用到中间表,则遇到如何联查映射的问题,之前一直都是一个表头,多个明细或者一对一这样的关系,没遇到这样的问题,所以趁机找了下资料解决了这个问题. 表结构设计如下: 主表: CREATE TABL ...