Kerberos服务安装

Kerberos服务安装

step 1.安装kerberos Server

在 102.2.5.13机器上安装kerberos server。使用命令：yum install krb5-server krb5-libs krb5-auth-dialog
KDC的主机必须非常自身安全，一般该主机只运行KDC程序。本文中我们选择102.2.5.13作为运行KDC的主机。在安装完上述的软件之后，会在KDC主机上生成配置文件/etc/krb5.conf和/var/kerberos/krb5kdc/kdc.conf，它们分别反映了realm name以及 domain-to-realm mappings。

step 2.安装kerberos客户端

将kerberos服务端装在102.2.5.13机器上，其它机器就用作kerberos的客户端安装。

#!/bin/bash
for HOST in `cat hosts`
do
echo $HOST
echo "check NTP"
ssh -t laowang@$HOST "sudo ntpq -p"
echo "install kerberos"
ssh -t laowang@$HOST "sudo yum install -y krb5-libs krb5-workstation"
scp -p /etc/krb5.conf laowang@$HOST:/tmp
ssh -t laowang@$HOST "sudo cp -pf /tmp/krb5.conf /etc/"
ssh -t laowang@$HOST "sudo chmod 644 /etc/krb5.conf"
ssh -t laowang@$HOST "sudo chown root:root /etc/krb5.conf"
done

验证kerberos 服务群是否搭建成功

在kerberos Server端创建一个数据。然后在Client端先执行kinit操作，再执行klist操作，看是否能够拿到这个值。在kerberos server端所在主机上【102.2.5.13】执行如下操作：

[root@cdh203 sssd]# kadmin.local   #进入kerberos的界面
Authenticating as principal root/[email protected] with password.
kadmin.local:  addprinc  #addprinc是kerberos的一个命令
usage: add_principal [options] principal
    options are:
        [-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]
        [-kvno kvno] [-policy policy] [-clearpolicy]
        [-pw password] [-maxrenewlife maxrenewlife]
        [-e keysaltlist]
        [{+|-}attribute]
    attributes are:
        allow_postdated allow_forwardable allow_tgs_req allow_renewable
        allow_proxiable allow_dup_skey allow_tix requires_preauth
        requires_hwauth needchange allow_svr password_changing_service
        ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
        lockdown_keys

where,
    [-x db_princ_args]* - any number of database specific arguments.
            Look at each database documentation for supported arguments

• 创建kerberos 的管理员账户

kadmin.local:  addprinc admin/admin@ultraman.ORG
WARNING: no policy specified for admin/admin@ultraman.ORG; defaulting to no policy
Enter password for principal "admin/admin@ultraman.ORG":   #需要设置密码
Re-enter password for principal "admin/admin@ultraman.ORG":   #需要设置密码
add_principal: Principal or policy already exists while creating "admin/admin@ultraman.ORG".

• 创建kerberos 的普通用户【道理同上】

kadmin.local:  addprinc cloudera-scm/admin@ultraman.ORG
WARNING: no policy specified for cloudera-scm/admin@ultraman.ORG; defaulting to no policy
Enter password for principal "cloudera-scm/admin@ultraman.ORG": 
Re-enter password for principal "cloudera-scm/admin@ultraman.ORG": 
Principal "cloudera-scm/admin@ultraman.ORG" created.
kadmin.local:  kinit admin/admin@ultraman.ORG
kadmin.local: Unknown request "kinit".  Type "?" for a request list.
kadmin.local:  exit
密码是：123456

• 分别在kerberos客户端上【 102.2.5.11】执行如下操作：

[laowang@cdh201 ~]$ kinit admin/admin@ultraman.ORG
Password for admin/admin@ultraman.ORG: 

[laowang@cdh201 ~]$ klist
Ticket cache: KEYRING:persistent:1112:1112
Default principal: admin/admin@ultraman.ORG

Valid starting       Expires              Service principal
07/16/2018 15:12:58  07/17/2018 15:12:58  krbtgt/ultraman.ORG@ultraman.ORG

注意事项

• （1）kerberos服务器端应该装在配置了免密的那台机器上，只有这样，在安装kerberos客户端的时候，就不需要输入密码了。

• （2）kerberos 服务设置开机自启动

  • centos 6
    chkconfig krb5kdc on
    chkconfig kadmin on
    service krb5kdc start
    service kadmin start

  • centos 7
    systemctl start krb5kdc
    systemctl start kadmin
    systemctl status krb5kdc
    systemctl status kadmin