Because of the recent need to use Kerberos authentication for the environment, there is very little understanding of Kerberos before, today, take the time to manually install Kerberos, so as to deepen the understanding of Kerberos.
1 Select a machine to run KDC and install Kerberos-related services
[Root@cent-1 ~]# yum install-y krb5-server krb5-libs krb5-auth-dialog krb5-workstation [root@cent-1 ~]# RPM-QA | gre P krb5 krb5-workstation-1.10.3-57.el6.x86_64 krb5-libs-1.10.3-57.el6.x86_64 krb5-devel-1.10.3-57.el6.x86_64 krb5-server-1.10.3-57.el6.x86_64 krb5-auth-dialog-0.13-5.el6.x86_64
2 Configure Kerberos, including krb5.conf and kdc.conf, modify the realm, and modify the default example.com to the value you want to define
[root@cent-1 ~]# cat/etc/krb5.conf [logging] default = File:/var/log/krb5libs.log KDC = FILE:/ Var/log/krb5kdc.log admin_server = File:/var/log/kadmind.log [Libdefaults] Default_realm = ESGYN.COM Dns_lookup_realm
= False DNS_LOOKUP_KDC = False Ticket_lifetime = 24h Renew_lifetime = 7d forwardable = True [Realms] esgyn.com = { KDC = kerberos.esgyn.com admin_server = kerberos.esgyn.com} [Domain_realm]. esgyn.com = esgyn.com esgyn.com = esgy n.com [root@cent-1 ~]# cat/var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = Kdc_tcp_ports = [Realms] ES gyn.com = {#master_key_type = aes256-cts Acl_file =/var/kerberos/krb5kdc/kadm5.acl Dict_file =/usr/share/dict/wor DS Admin_keytab =/var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal ARCF Our-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal Des-cbc-crc:normal} 3 Create the Kerberos database, where you need to set the administrator password, the completion will generate a series of files under/var/kerberos/krb5kdc/, if you rebuild the database, you need to delete the/var/kerberos/ KRB5KDC below principal related documents
[Root@cent-1 ~]#/usr/sbin/kdb5_util create-s Loading random data initializing database '/var/kerberos/ Krb5kdc/principal ' for Realm ' Esgyn. COM ', master key name ' K/m@esgyn. COM ' You'll be prompted for the ' database Master Password. It is important the forget this password. Enter KDC Database master key: re-enter KDC database master key to verify: [root@cent-1 ~]# ll/var/kerberos/krb5k dc/Total -rw-------. 1 root Mar 9 2016 Kadm5.acl -rw-------. 1 root root 403 10:18 kdc.conf -rw-------. 1 root 8192 1 10:23, principal -------. 1 root root-rw 3 10:23 principal.kadm5 -rw-------. 1 root root 0 10:23 principal.kadm5.lock-rw -------. 1 root root 0 10:24 Principal.ok
4 Add Database administrator, note that kadmin.local can be run directly on the KDC without having to pass Kerberos authentication
[Root@cent-1 ~]#/usr/sbin/kadmin.local-q "Addprinc admin/admin" authenticating as principal centos/ Admin@ESGYN.COM with password. Warning:no policy specified for admin/admin@esgyn.com; Defaulting to no policy Enter password for principal ' admin/admin@esgyn.com ': re-enter password for principal ' ad Min/admin@esgyn.com ": Principal" admin/admin@esgyn.com "created. [Root@cent-1 ~]# kadmin.local authenticating as Principal with centos/admin@esgyn.com. Kadmin.local: listprinc kadmin.local:Unknown Request "Listprinc". Type "?" for a request list. Kadmin.local: listprincs k/m@esgyn.com admin/admin@esgyn.com kadmin/admin@esgyn.com kadmin/cent-1.novalocal@esgyn.com kadmin/changepw@esgyn.com krbtgt/esgyn.com@esgyn.com
5 Add ACL permissions to the database administrator, modify the Kadm5.acl file, * represent all permissions
[Root@cent-1 ~]# cat/var/kerberos/krb5kdc/kadm5.acl */admin@esgyn.com *
6 Start the Kerberos process and set the boot up to view the logs through/var/log/krb5kdc.log and/var/log/kadmind.log, and check the Kerberos operation via Kinit
[root@cent-1 ~]# Service KRB5KDC start starting Kerberos 5 KDC: [ OK ] [root@cent-1 ~]# Service Kadmin start starting Kerberos 5 Admin Server: [ OK ] [root@cent-1 ~]# service KRB5KDC status< C13/>KRB5KDC (PID 25980) is running ... [Root@cent-1 ~]# service kadmin status kadmind (PID 26017) is running ... [Root@cent-1 ~]# chkconfig krb5kdc on [root@cent-1 ~]# chkconfig kadmin on [root@cent-1 krb5kdc]# kinit] Trafodi On Password for Trafodion@ESGYN.COM: [root@cent-1 krb5kdc]#
7 Configuration Jce, this is because CentOS6.5 and above systems use AES-256 encryption by default, so all nodes need to be installed and configured JCE,JCE download path: http://www.oracle.com/technetwork/java/ Javase/downloads/jce8-download-2133166.html
[Root@cent-1 unlimitedjcepolicyjdk8]# ll Total -rw-rw-r--. 1 root 3035 Dec 2013 local_policy.jar< C4/>-rw-r--r--. 1 root 7323 Dec 2013 README.txt -rw-rw-r--. 1 root root 3023 Dec 2013 Us_export_policy.jar [Roo T@cent-1 security]# cp/home/centos/unlimitedjcepolicyjdk8//usr/java/jdk1.8.0_11/jre/lib/security/ Local_ Policy.jar README.txt us_export_policy.jar [root@cent-1 security]# cp/home/centos/ unlimitedjcepolicyjdk8/us_export_policy.jar/usr/java/jdk1.8.0_11/jre/lib/security/ cp:overwrite '/usr/java /jdk1.8.0_11/jre/lib/security/us_export_policy.jar '? Y
8 To this end, the Kerberos server has been set up, and now select another machine to install the client, including installation and configuration/etc/krb5.conf same as KDC
[Root@cent-2 ~]# yum install-y krb5-workstation krb5-libs
9 Kadmin generated keytab, if the KDC above directly run kadmin.local, if it is in the client first kinit then Kadmin
(1) Kdc
[Root@cent-1 ~]# kadmin.local authenticating as principal with trafodion/admin@esgyn.com. Kadmin.local:listprincs k/m@esgyn.com kadmin/admin@esgyn.com kadmin/cent-1.novalocal@esgyn.com kadmin/ Changepw@ESGYN.COM Krbtgt/esgyn. COM@ESGYN.COM Trafodion@ESGYN.COM kadmin.local:xst-k/opt/trafodion.keytab trafodion Entry for principal with Kvno 2, encryption type aes128-cts-hmac-sha1-96 added to Keytab wrfile:/opt/trafodion.keytab. Entry for principal trafodion with KVNO 2, encryption type DES3-CBC-SHA1 added to keytab. Entry for principal trafodion with KVNO 2, encryption type Arcfour-hmac added to keytab. Entry for principal trafodion with KVNO 2, encryption type DES-HMAC-SHA1 added to keytab. Entry for principal trafodion with KVNO 2, encryption type DES-CBC-MD5 added to keytab. [Root@cent-1 opt]# LL/OPT/TRAFODION.KEYTAB-RW-------. 1 root root 279 JaN 13:05/opt/trafodion.keytab
(2) Client (need to kinit first)
[Root@cent-2 ~]# kinit kadmin/admin Password for kadmin/admin@esgyn.com: [root@cent-2 ~]#-kadmin Authenticating as principal kadmin/admin@esgyn.com with password. Password for kadmin/admin@esgyn.com: kadmin: addprinc centos warning:no policy for Centos@ESGYN.COM; Defaulting to no policy Enter password for principal ' Centos@ESGYN.COM ': re-enter password for principal ' centos@ Esgyn.com ": Principal" Centos@ESGYN.COM "created. Kadmin: listprincs k/m@esgyn.com centos@ESGYN.COM kadmin/admin@esgyn.com kadmin/ Cent-1.novalocal@ESGYN.COM kadmin/changepw@esgyn.com krbtgt/esgyn.com@esgyn.com Trafodion@ESGYN.COM
KINIT-KT Certified user, Klist view current authenticated user
[root@cent-2 ~]# kinit-kt/opt/trafodion.keytab trafodion [root@cent-2 ~]# klist-Ticket cache: File:/tmp/krb5cc_0 Default principal:trafodion@esgyn.com Valid starting Expires Service principal 01/13/1 7 13:35:41 01/14/17 13:35:41 krbtgt/esgyn.com@esgyn.com renew until 01/13/17 13:35:41
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
