Kerberos Installation Tutorials and use detailed _linux

Source: Internet
Author: User
Tags auth hmac sha1 ticket kinit

Kerberos protocol:

The Kerberos protocol is primarily used for the identification of computer networks (authentication), which is characterized by the user having to enter authentication information only once to access multiple services (Ticket-granting ticket) by virtue of this authentication, that is, SSO ( Single Sign on). Because a shared secret key is established between each client and service, the protocol is quite secure.

2. Install Kerberos

2.1. Environment configuration

Before installing Kerberos, make sure that the host name can be resolved.

Host name intranet IP role

Vmw201 172.16.18.201 Master KDC
Vmw202 172.16.18.202 Kerberos client
Vmw203 172.16.18.203 Kerberos Client

2.2 Configuring a Kerberos Server

2.2.1 Ensure the environment is available

Ensure time synchronization between all clients and servers and DNS parsing correctly

2.2.2 Select a host to run the KDC and install Krb-5libs,krb5-server on that host, already krb5-workstation:

Yum Install Krb5-server krb5-libs krb5-auth-dialog

The host of the KDC must be very self secure, and typically the host only runs the KDC program. In this article we chose vmw201 as the host running the KDC.
After the above software is installed, the configuration files/etc/krb5.conf and/var/kerberos/krb5kdc/kdc.conf are generated on the KDC host, which reflect the realm name and Domain-to-realm Mappings.

2.2.3 Configuration kdc.conf

The default is placed in/var/kerberos/krb5kdc/kdc.conf. or modify the configuration file location by overwriting the KRB5_KDC_PROFILE environment variable.

Configuration Example:

[Kdcdefaults]
Kdc_ports =
Kdc_tcp_ports =
[Realms]
hadoop.com = {
#master_key_type = aes256-cts acl_file
=/ Var/kerberos/krb5kdc/kadm5.acl
dict_file =/usr/share/dict/words
Admin_keytab =/var/kerberos/krb5kdc/ Kadm5.keytab
max_renewable_life = 7d
supported_enctypes = Aes128-cts:normal des3-hmac-sha1:normal Arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal Des-cbc-crc:normal
}

Description

Hadoop.com: A set of realms. Name at random. Kerberos can support multiple realms and can increase complexity. This article does not discuss. Case sensitive, generally in order to identify the use of all caps. This realms is not related to the machine host.

Max_renewable_life = 7d is related to whether the ticket renwe must be configured.
Master_key_type: and supported_enctypes default use of aes256-cts. Because Java uses the Aes256-cts authentication method to install additional jar packs, more reference 2.2.9 about AES-256 encryption:. Recommended not used.

Acl_file: The user rights for admin are annotated. File format is

Kerberos_principal permissions [Target_principal] [restrictions] supports wildcard characters.

ADMIN_KEYTAB:KDC the keytab of the checksum. The following article will mention how to create.

Supported_enctypes: The supported checksum mode. Take care to remove the aes256-cts.

2.2.4 Configuration krb5.conf

/ETC/KRB5.CONF: Contains configuration information for Kerberos. For example, the location of the KDC, the realms of Kerberos admin, and so on. The configuration files on the machine that require all of the Kerberos used are synchronized. Only the basic configuration required is listed here.

Configuration Example:

[Logging]
Default=file:/var/log/krb5libs.log
KDC = file:/var/log/krb5kdc.log
admin_server = file:/var/log/ Kadmind.log
[libdefaults]
Default_realm = hadoop.com
Dns_lookup_realm = False
Dns_lookup_kdc = False
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = True
# udp_preference_limit = 1
[Realms ]
hadoop.com = {
KDC = vmw201
admin_server = vmw201
}
[Domain_realm]
. hadoop.com = hadoop.com
hadoop.com = hadoop.com

Description

[Logging]: A print location that represents the log on the server side

[Libdefaults]: The default configuration for each connection requires attention to several key small configurations

Default_realm = hadoop.com Default Realm must match the name of the realm to be configured.

Udp_preference_limit = 1 prohibit the use of UDP to prevent errors in a Hadoop

The oticket_lifetime indicates that the voucher is valid for a period of 24 hours.

Orenew_lifetime indicates that the voucher can be extended for a maximum period of one week. When the voucher expires,

Subsequent access to the security-certified service will fail.
[Realms]: Enumerates the realm used.

KDC: Represents the location to be KDC. Format is machine: port

Admin_server: Represents the location of admin. Format is machine: port

Default_domain: Represents the Default domain name

[Appdefaults]: You can set some configuration for a specific application to override the default configuration.

2.2.5 Create/Initialize Kerberos database

Initialize and start: After completing the above two configuration files, it can be initialized and started.

[root@vmw201 ~]#/usr/sbin/kdb5_util create-s-R hadoop.com

Where [-s] means to generate stash file and store master server key (KRB5KDC), or you can specify a realm with [-r] name--when more than one krb5.conf is defined in realm.

# Save path for/VAR/KERBEROS/KRB5KDC if you need to rebuild the database, delete the principal files that are associated with the directory

In this process, we will enter the admin password for the database. The password you set here must remember that if you forget, you cannot manage Kerberos server.

When the Kerberos database is created, you can see several files generated under the directory/VAR/KERBEROS/KRB5KDC:

Kadm5.acl
Kdc.conf
Principal
Principal.kadm5
Principal.kadm5.lock
Principal.ok

2.2.6 Add Database administrator

We need to add administrative principals (that is, principals that can manage database) for the Kerberos database- At least 1 principal are added to enable the Kerberos management process Kadmind to communicate with program Kadmin on the network.

Executing on the maste KDC:

[root@vmw201/]#/usr/sbin/kadmin.local-q "Addprinc admin/admin"

and set a password for it

Kadmin.local

Can be run directly on the master KDC, without the need for Kerberos authentication first, in fact it only needs to
Read and Write permissions to the file.

2.2.7 set ACL permissions for the database administrator

On the KDC we need to edit the ACL file to set the permissions, and the default path for the ACL file is/var/kerberos/krb5kdc/kadm5.acl (or can be modified in the file kdc.conf). The Kadmind daemon of Kerberos uses this file to manage access to the Kerberos database. For operations that may have an impact on Pincipal, ACL files can also control which principal can manipulate which other pricipals.

We now set permissions for the administrator: Edit the contents of the file/var/kerberos/krb5kdc/kadm5.acl as

*/admin@hadoop.com

Represents the name matching */admin@hadoop.com are considered admin, permissions are *. Represents all permissions.

2.2.8 to start Kerberos daemons at the master KDC

To start manually:

[root@vmw201/]# service krb5kdc start
[root@vmw201/]# service kadmin start

To set up the boot auto start:

[root@vmw201/]# chkconfig KRB5KDC on [root@vmw201-/]# chkconfig kadmin on

Now KDC is already at work. These two daemons will run in the background to view their log files (/var/log/krb5kdc.log and/var/log/kadmind.log).

You can check to see if these two daemons are working correctly by command Kinit.

2.2.9 about AES-256 Encryption

for using CENTOS5. 6 and above system, the default use of AES-256 to encrypt. This requires that Java cryptography Extension (JCE) Unlimited strength jurisdiction File be installed on all nodes in the cluster.
The downloaded file is a zip package that, when unpacked, places the two files in the following directory: $JAVA _home/jre/lib/security

2.3 Configuring Kerberos Clients

2.3.1 Installing Kerberos Client (CentOS7 can omit this step)

Install the Kerberos client on the other two hosts (vmw202,vmw203).

Yum Install krb5-workstation krb5-libs krb5-auth-dialog

2.3.2 Configuration krb5.conf

Configure the/etc/krb5.conf on these hosts, and the contents of this file are consistent with the files in the KDC.

3. Kerberos daily operation and FAQ

3.1 Administrator Action

3.1.1 Login

Log on to the Administrator account: If you are on this computer, you can log in directly via Kadmin.local. Other machines, first use kinit for verification.

3.1.2, check and change account

Use the Addprinc,delprinc,modprinc,listprincs command in the administrator's state. Use? To list all the commands.

Kadmin.local:addprinc test
kadmin.local:delprinc test
Kadmin.local:listprincs

3.1.3 Generation keytab: Using the XST command or the Ktadd command

Kadmin:xst-k/xxx/xxx/kerberos.keytab HDFS/HADOOP1

3.2 User Actions

3.2.1 View the current authenticated user

3.2.3 Certified User

Kinit-kt/xx/xx/kerberos.keytab HDFS/HADOOP1

3.2.4 deletes the current authenticated cache

Kdestroy

3.3 FAQ

3.3.1 See if ticket is renewable

View through the klist command

If the value of the valid starting is the same as the renew until, the principal of the ticket is not renwable.

3.3.2 Ticket cannot be updated

If you pass the expires, you can update the ticket by command Kinit–r
But if ticket cannot update

[root@vmw201 ~]$ kinit-r
kinit:ticket expired while renewing credentials

This is because krbtgt/hadoop.com@ HADOOP. COM's [Renewlife] is set to 0, which can be seen through [kadmin.local => getprinc krbtgt/hadoop.com @ hadoop.com].

Modify the [Renewlife] of krbtgt/hadoop.com@hadoop.com to 7days, method

Kadmin.local:modprinc-maxrenewlife 1week krbtgt/hadoop.com@hadoop.com

The above is a small series to introduce the Kerberos installation tutorial and use of detailed, I hope to help you, if you have any questions please give me a message, small series will promptly reply to everyone. Here also thank you very much for the cloud Habitat Community website support!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.