Kerberos protocol:
The Kerberos protocol is primarily used for the identification of computer networks (authentication), which is characterized by the user having to enter authentication information only once to access multiple services (Ticket-granting ticket) by virtue of this authentication, that is, SSO ( Single Sign on). Because a shared secret key is established between each client and service, the protocol is quite secure.
2. Install Kerberos
2.1. Environment configuration
Before installing Kerberos, make sure that the host name can be resolved.
Host name intranet IP role
Vmw201 172.16.18.201 Master KDC
Vmw202 172.16.18.202 Kerberos client
Vmw203 172.16.18.203 Kerberos Client
2.2 Configuring a Kerberos Server
2.2.1 Ensure the environment is available
Ensure time synchronization between all clients and servers and DNS parsing correctly
2.2.2 Select a host to run the KDC and install Krb-5libs,krb5-server on that host, already krb5-workstation:
Yum Install Krb5-server krb5-libs krb5-auth-dialog
The host of the KDC must be very self secure, and typically the host only runs the KDC program. In this article we chose vmw201 as the host running the KDC.
After the above software is installed, the configuration files/etc/krb5.conf and/var/kerberos/krb5kdc/kdc.conf are generated on the KDC host, which reflect the realm name and Domain-to-realm Mappings.
2.2.3 Configuration kdc.conf
The default is placed in/var/kerberos/krb5kdc/kdc.conf. or modify the configuration file location by overwriting the KRB5_KDC_PROFILE environment variable.
Configuration Example:
[Kdcdefaults]
Kdc_ports =
Kdc_tcp_ports =
[Realms]
hadoop.com = {
#master_key_type = aes256-cts acl_file
=/ Var/kerberos/krb5kdc/kadm5.acl
dict_file =/usr/share/dict/words
Admin_keytab =/var/kerberos/krb5kdc/ Kadm5.keytab
max_renewable_life = 7d
supported_enctypes = Aes128-cts:normal des3-hmac-sha1:normal Arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal Des-cbc-crc:normal
}
Description
Hadoop.com: A set of realms. Name at random. Kerberos can support multiple realms and can increase complexity. This article does not discuss. Case sensitive, generally in order to identify the use of all caps. This realms is not related to the machine host.
Max_renewable_life = 7d is related to whether the ticket renwe must be configured.
Master_key_type: and supported_enctypes default use of aes256-cts. Because Java uses the Aes256-cts authentication method to install additional jar packs, more reference 2.2.9 about AES-256 encryption:. Recommended not used.
Acl_file: The user rights for admin are annotated. File format is
Kerberos_principal permissions [Target_principal] [restrictions] supports wildcard characters.
ADMIN_KEYTAB:KDC the keytab of the checksum. The following article will mention how to create.
Supported_enctypes: The supported checksum mode. Take care to remove the aes256-cts.
2.2.4 Configuration krb5.conf
/ETC/KRB5.CONF: Contains configuration information for Kerberos. For example, the location of the KDC, the realms of Kerberos admin, and so on. The configuration files on the machine that require all of the Kerberos used are synchronized. Only the basic configuration required is listed here.
Configuration Example:
[Logging]
Default=file:/var/log/krb5libs.log
KDC = file:/var/log/krb5kdc.log
admin_server = file:/var/log/ Kadmind.log
[libdefaults]
Default_realm = hadoop.com
Dns_lookup_realm = False
Dns_lookup_kdc = False
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
# udp_preference_limit = 1
[Realms ]
hadoop.com = {
KDC = vmw201
admin_server = vmw201
}
[Domain_realm]
. hadoop.com = hadoop.com
hadoop.com = hadoop.com
Description
[Logging]: A print location that represents the log on the server side
[Libdefaults]: The default configuration for each connection requires attention to several key small configurations
Default_realm = hadoop.com Default Realm must match the name of the realm to be configured.
Udp_preference_limit = 1 prohibit the use of UDP to prevent errors in a Hadoop
The oticket_lifetime indicates that the voucher is valid for a period of 24 hours.
Orenew_lifetime indicates that the voucher can be extended for a maximum period of one week. When the voucher expires,
Subsequent access to the security-certified service will fail.
[Realms]: Enumerates the realm used.
KDC: Represents the location to be KDC. Format is machine: port
Admin_server: Represents the location of admin. Format is machine: port
Default_domain: Represents the Default domain name
[Appdefaults]: You can set some configuration for a specific application to override the default configuration.
2.2.5 Create/Initialize Kerberos database
Initialize and start: After completing the above two configuration files, it can be initialized and started.
[root@vmw201 ~]#/usr/sbin/kdb5_util create-s-R hadoop.com
Where [-s] means to generate stash file and store master server key (KRB5KDC), or you can specify a realm with [-r] name--when more than one krb5.conf is defined in realm.
# Save path for/VAR/KERBEROS/KRB5KDC if you need to rebuild the database, delete the principal files that are associated with the directory
In this process, we will enter the admin password for the database. The password you set here must remember that if you forget, you cannot manage Kerberos server.
When the Kerberos database is created, you can see several files generated under the directory/VAR/KERBEROS/KRB5KDC:
Kadm5.acl
Kdc.conf
Principal
Principal.kadm5
Principal.kadm5.lock
Principal.ok
2.2.6 Add Database administrator
We need to add administrative principals (that is, principals that can manage database) for the Kerberos database- At least 1 principal are added to enable the Kerberos management process Kadmind to communicate with program Kadmin on the network.
Executing on the maste KDC:
[root@vmw201/]#/usr/sbin/kadmin.local-q "Addprinc admin/admin"
and set a password for it
Kadmin.local
Can be run directly on the master KDC, without the need for Kerberos authentication first, in fact it only needs to
Read and Write permissions to the file.
2.2.7 set ACL permissions for the database administrator
On the KDC we need to edit the ACL file to set the permissions, and the default path for the ACL file is/var/kerberos/krb5kdc/kadm5.acl (or can be modified in the file kdc.conf). The Kadmind daemon of Kerberos uses this file to manage access to the Kerberos database. For operations that may have an impact on Pincipal, ACL files can also control which principal can manipulate which other pricipals.
We now set permissions for the administrator: Edit the contents of the file/var/kerberos/krb5kdc/kadm5.acl as
*/admin@hadoop.com
Represents the name matching */admin@hadoop.com are considered admin, permissions are *. Represents all permissions.
2.2.8 to start Kerberos daemons at the master KDC
To start manually:
[root@vmw201/]# service krb5kdc start
[root@vmw201/]# service kadmin start
To set up the boot auto start:
[root@vmw201/]# chkconfig KRB5KDC on [root@vmw201-/]# chkconfig kadmin on
Now KDC is already at work. These two daemons will run in the background to view their log files (/var/log/krb5kdc.log and/var/log/kadmind.log).
You can check to see if these two daemons are working correctly by command Kinit.
2.2.9 about AES-256 Encryption
for using CENTOS5. 6 and above system, the default use of AES-256 to encrypt. This requires that Java cryptography Extension (JCE) Unlimited strength jurisdiction File be installed on all nodes in the cluster.
The downloaded file is a zip package that, when unpacked, places the two files in the following directory: $JAVA _home/jre/lib/security
2.3 Configuring Kerberos Clients
2.3.1 Installing Kerberos Client (CentOS7 can omit this step)
Install the Kerberos client on the other two hosts (vmw202,vmw203).
Yum Install krb5-workstation krb5-libs krb5-auth-dialog
2.3.2 Configuration krb5.conf
Configure the/etc/krb5.conf on these hosts, and the contents of this file are consistent with the files in the KDC.
3. Kerberos daily operation and FAQ
3.1 Administrator Action
3.1.1 Login
Log on to the Administrator account: If you are on this computer, you can log in directly via Kadmin.local. Other machines, first use kinit for verification.
3.1.2, check and change account
Use the Addprinc,delprinc,modprinc,listprincs command in the administrator's state. Use? To list all the commands.
Kadmin.local:addprinc test
kadmin.local:delprinc test
Kadmin.local:listprincs
3.1.3 Generation keytab: Using the XST command or the Ktadd command
Kadmin:xst-k/xxx/xxx/kerberos.keytab HDFS/HADOOP1
3.2 User Actions
3.2.1 View the current authenticated user
3.2.3 Certified User
Kinit-kt/xx/xx/kerberos.keytab HDFS/HADOOP1
3.2.4 deletes the current authenticated cache
Kdestroy
3.3 FAQ
3.3.1 See if ticket is renewable
View through the klist command
If the value of the valid starting is the same as the renew until, the principal of the ticket is not renwable.
3.3.2 Ticket cannot be updated
If you pass the expires, you can update the ticket by command Kinit–r
But if ticket cannot update
[root@vmw201 ~]$ kinit-r
kinit:ticket expired while renewing credentials
This is because krbtgt/hadoop.com@ HADOOP. COM's [Renewlife] is set to 0, which can be seen through [kadmin.local => getprinc krbtgt/hadoop.com @ hadoop.com].
Modify the [Renewlife] of krbtgt/hadoop.com@hadoop.com to 7days, method
Kadmin.local:modprinc-maxrenewlife 1week krbtgt/hadoop.com@hadoop.com
The above is a small series to introduce the Kerberos installation tutorial and use of detailed, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!