Kerberos服务安装
step 1.安装kerberos Server
在 102.2.5.13机器上安装kerberos server。使用命令:yum install krb5-server krb5-libs krb5-auth-dialog
KDC的主机必须非常自身安全,一般该主机只运行KDC程序。本文中我们选择102.2.5.13作为运行KDC的主机。在安装完上述的软件之后,会在KDC主机上生成配置文件/etc/krb5.conf和/var/kerberos/krb5kdc/kdc.conf,它们分别反映了realm name以及 domain-to-realm mappings。
step 2.安装kerberos客户端
将kerberos服务端装在102.2.5.13机器上,其它机器就用作kerberos的客户端安装。
#!/bin/bash
for HOST in `cat hosts`
do
echo $HOST
echo "check NTP"
ssh -t laowang@$HOST "sudo ntpq -p"
echo "install kerberos"
ssh -t laowang@$HOST "sudo yum install -y krb5-libs krb5-workstation"
scp -p /etc/krb5.conf laowang@$HOST:/tmp
ssh -t laowang@$HOST "sudo cp -pf /tmp/krb5.conf /etc/"
ssh -t laowang@$HOST "sudo chmod 644 /etc/krb5.conf"
ssh -t laowang@$HOST "sudo chown root:root /etc/krb5.conf"
done
验证kerberos 服务群是否搭建成功
在kerberos Server端创建一个数据。然后在Client端先执行kinit操作,再执行klist操作,看是否能够拿到这个值。在kerberos server端所在主机上【102.2.5.13】执行如下操作:
[root@cdh203 sssd]# kadmin.local #进入kerberos的界面
Authenticating as principal root/admin@ultraman.ORG with password.
kadmin.local: addprinc #addprinc是kerberos的一个命令
usage: add_principal [options] principal
options are:
[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-pw password] [-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
lockdown_keys
where,
[-x db_princ_args]* - any number of database specific arguments.
Look at each database documentation for supported arguments
- 创建kerberos 的管理员账户
kadmin.local: addprinc admin/admin@ultraman.ORG
WARNING: no policy specified for admin/admin@ultraman.ORG; defaulting to no policy
Enter password for principal "admin/admin@ultraman.ORG": #需要设置密码
Re-enter password for principal "admin/admin@ultraman.ORG": #需要设置密码
add_principal: Principal or policy already exists while creating "admin/admin@ultraman.ORG".
- 创建kerberos 的普通用户【道理同上】
kadmin.local: addprinc cloudera-scm/admin@ultraman.ORG
WARNING: no policy specified for cloudera-scm/admin@ultraman.ORG; defaulting to no policy
Enter password for principal "cloudera-scm/admin@ultraman.ORG":
Re-enter password for principal "cloudera-scm/admin@ultraman.ORG":
Principal "cloudera-scm/admin@ultraman.ORG" created.
kadmin.local: kinit admin/admin@ultraman.ORG
kadmin.local: Unknown request "kinit". Type "?" for a request list.
kadmin.local: exit
密码是:123456
- 分别在kerberos客户端上【 102.2.5.11】执行如下操作:
[laowang@cdh201 ~]$ kinit admin/admin@ultraman.ORG
Password for admin/admin@ultraman.ORG:
[laowang@cdh201 ~]$ klist
Ticket cache: KEYRING:persistent:1112:1112
Default principal: admin/admin@ultraman.ORG
Valid starting Expires Service principal
07/16/2018 15:12:58 07/17/2018 15:12:58 krbtgt/ultraman.ORG@ultraman.ORG
注意事项
- (1)kerberos服务器端应该装在配置了免密的那台机器上,只有这样,在安装kerberos客户端的时候,就不需要输入密码了。
(2)kerberos 服务设置开机自启动
centos 6
chkconfig krb5kdc on
chkconfig kadmin on
service krb5kdc start
service kadmin startcentos 7
systemctl start krb5kdc
systemctl start kadmin
systemctl status krb5kdc
systemctl status kadmin
登录 | 立即注册