Kerberos Basic Installation and configuration

Source: Internet
Author: User

Because of the recent need to use Kerberos authentication for the environment, there is very little understanding of Kerberos before, today, take the time to manually install Kerberos, so as to deepen the understanding of Kerberos.

1 Select a machine to run KDC and install Kerberos-related services

[Root@cent-1 ~]# yum install-y krb5-server krb5-libs krb5-auth-dialog krb5-workstation
[root@cent-1 ~]# RPM-QA | gre P krb5
krb5-workstation-1.10.3-57.el6.x86_64
krb5-libs-1.10.3-57.el6.x86_64
krb5-devel-1.10.3-57.el6.x86_64
krb5-server-1.10.3-57.el6.x86_64
krb5-auth-dialog-0.13-5.el6.x86_64

2 Configure Kerberos, including krb5.conf and kdc.conf, modify the realm, and modify the default example.com to the value you want to define

[root@cent-1 ~]# cat/etc/krb5.conf [logging] default = File:/var/log/krb5libs.log KDC = FILE:/ Var/log/krb5kdc.log admin_server = File:/var/log/kadmind.log [Libdefaults] Default_realm = ESGYN.COM Dns_lookup_realm
  = False DNS_LOOKUP_KDC = False Ticket_lifetime = 24h Renew_lifetime = 7d forwardable = True [Realms] esgyn.com = { KDC = kerberos.esgyn.com admin_server = kerberos.esgyn.com} [Domain_realm]. esgyn.com = esgyn.com esgyn.com = esgy n.com [root@cent-1 ~]# cat/var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = Kdc_tcp_ports = [Realms] ES gyn.com = {#master_key_type = aes256-cts Acl_file =/var/kerberos/krb5kdc/kadm5.acl Dict_file =/usr/share/dict/wor DS Admin_keytab =/var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal ARCF Our-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal Des-cbc-crc:normal} 

3 Create the Kerberos database, where you need to set the administrator password, the completion will generate a series of files under/var/kerberos/krb5kdc/, if you rebuild the database, you need to delete the/var/kerberos/ KRB5KDC below principal related documents

[Root@cent-1 ~]#/usr/sbin/kdb5_util create-s
Loading random data
initializing database '/var/kerberos/ Krb5kdc/principal ' for Realm ' Esgyn. COM ',
master key name ' K/m@esgyn. COM ' You'll be prompted for the '
database Master Password.
It is important the forget this password.
Enter KDC Database master key:
re-enter KDC database master key to verify:

[root@cent-1 ~]# ll/var/kerberos/krb5k dc/Total
-rw-------. 1 root   Mar  9  2016 Kadm5.acl
-rw-------. 1 root root  403 10:18 kdc.conf
-rw-------. 1 root 8192 1 10:23, principal
-------. 1 root root-rw 3 10:23 principal.kadm5
-rw-------. 1 root root    0 10:23 principal.kadm5.lock-rw
-------. 1 root root    0 10:24 Principal.ok

4 Add Database administrator, note that kadmin.local can be run directly on the KDC without having to pass Kerberos authentication

[Root@cent-1 ~]#/usr/sbin/kadmin.local-q "Addprinc admin/admin"
authenticating as principal centos/ Admin@ESGYN.COM with password.
Warning:no policy specified for admin/admin@esgyn.com; Defaulting to no policy
Enter password for principal ' admin/admin@esgyn.com ':
re-enter password for principal ' ad Min/admin@esgyn.com ":
Principal" admin/admin@esgyn.com "created.
[Root@cent-1 ~]# kadmin.local
authenticating as Principal with centos/admin@esgyn.com.
Kadmin.local:  listprinc
kadmin.local:Unknown Request "Listprinc".  Type "?" for a request list.
Kadmin.local:  listprincs
k/m@esgyn.com
admin/admin@esgyn.com
kadmin/admin@esgyn.com
kadmin/cent-1.novalocal@esgyn.com
kadmin/changepw@esgyn.com
krbtgt/esgyn.com@esgyn.com

5 Add ACL permissions to the database administrator, modify the Kadm5.acl file, * represent all permissions

[Root@cent-1 ~]# cat/var/kerberos/krb5kdc/kadm5.acl
*/admin@esgyn.com   *

6 Start the Kerberos process and set the boot up to view the logs through/var/log/krb5kdc.log and/var/log/kadmind.log, and check the Kerberos operation via Kinit

[root@cent-1 ~]# Service KRB5KDC start
starting Kerberos 5 KDC:                                   [  OK  ]
[root@cent-1 ~]# Service Kadmin start
starting Kerberos 5 Admin Server:                          [  OK  ]
[root@cent-1 ~]# service KRB5KDC status< C13/>KRB5KDC (PID  25980) is running
... [Root@cent-1 ~]# service kadmin status
kadmind (PID  26017) is running ...
[Root@cent-1 ~]# chkconfig krb5kdc on
[root@cent-1 ~]# chkconfig kadmin on

[root@cent-1 krb5kdc]# kinit] Trafodi On
Password for Trafodion@ESGYN.COM:
[root@cent-1 krb5kdc]#

7 Configuration Jce, this is because CentOS6.5 and above systems use AES-256 encryption by default, so all nodes need to be installed and configured JCE,JCE download path: http://www.oracle.com/technetwork/java/ Javase/downloads/jce8-download-2133166.html

[Root@cent-1 unlimitedjcepolicyjdk8]# ll Total
-rw-rw-r--. 1 root 3035 Dec  2013 local_policy.jar< C4/>-rw-r--r--. 1 root 7323 Dec  2013 README.txt
-rw-rw-r--. 1 root root 3023 Dec  2013 Us_export_policy.jar
[Roo T@cent-1 security]# cp/home/centos/unlimitedjcepolicyjdk8//usr/java/jdk1.8.0_11/jre/lib/security/
Local_ Policy.jar      README.txt            us_export_policy.jar
[root@cent-1 security]# cp/home/centos/ unlimitedjcepolicyjdk8/us_export_policy.jar/usr/java/jdk1.8.0_11/jre/lib/security/
cp:overwrite '/usr/java /jdk1.8.0_11/jre/lib/security/us_export_policy.jar '? Y

8 To this end, the Kerberos server has been set up, and now select another machine to install the client, including installation and configuration/etc/krb5.conf same as KDC

[Root@cent-2 ~]# yum install-y krb5-workstation krb5-libs

9 Kadmin generated keytab, if the KDC above directly run kadmin.local, if it is in the client first kinit then Kadmin

(1) Kdc

[Root@cent-1 ~]# kadmin.local authenticating as principal with trafodion/admin@esgyn.com. Kadmin.local:listprincs k/m@esgyn.com kadmin/admin@esgyn.com kadmin/cent-1.novalocal@esgyn.com kadmin/ Changepw@ESGYN.COM Krbtgt/esgyn.  COM@ESGYN.COM Trafodion@ESGYN.COM kadmin.local:xst-k/opt/trafodion.keytab trafodion Entry for principal with
Kvno 2, encryption type aes128-cts-hmac-sha1-96 added to Keytab wrfile:/opt/trafodion.keytab.
Entry for principal trafodion with KVNO 2, encryption type DES3-CBC-SHA1 added to keytab.
Entry for principal trafodion with KVNO 2, encryption type Arcfour-hmac added to keytab.
Entry for principal trafodion with KVNO 2, encryption type DES-HMAC-SHA1 added to keytab.

Entry for principal trafodion with KVNO 2, encryption type DES-CBC-MD5 added to keytab. [Root@cent-1 opt]# LL/OPT/TRAFODION.KEYTAB-RW-------. 1 root root 279 JaN 13:05/opt/trafodion.keytab 

(2) Client (need to kinit first)

[Root@cent-2 ~]# kinit kadmin/admin
Password for kadmin/admin@esgyn.com:
[root@cent-2
~]#-kadmin Authenticating as principal kadmin/admin@esgyn.com with password.
Password for kadmin/admin@esgyn.com:
kadmin:  addprinc centos warning:no policy for
Centos@ESGYN.COM; Defaulting to no policy
Enter password for principal ' Centos@ESGYN.COM ':
re-enter password for principal ' centos@ Esgyn.com ":
Principal" Centos@ESGYN.COM "created.
Kadmin:  listprincs
k/m@esgyn.com
centos@ESGYN.COM
kadmin/admin@esgyn.com
kadmin/ Cent-1.novalocal@ESGYN.COM
kadmin/changepw@esgyn.com
krbtgt/esgyn.com@esgyn.com
Trafodion@ESGYN.COM

KINIT-KT Certified user, Klist view current authenticated user

[root@cent-2 ~]# kinit-kt/opt/trafodion.keytab trafodion [root@cent-2 ~]# klist-Ticket cache: File:/tmp/krb5cc_0 Default principal:trafodion@esgyn.com Valid starting Expires Service principal 01/13/1 7 13:35:41 01/14/17 13:35:41 krbtgt/esgyn.com@esgyn.com renew until 01/13/17 13:35:41 
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: