Table of contents
1 Case Objectives
Master the basic operation commands of Kerberos administrators
2 Environmental requirements
The KDC server has been installed
Has an admin principal
3 Case Process
-
Get a ticket for the admin principal using the kinit command
-
Log in to the management server using the kadmin command
-
Use the addprinc command to add ordinary users
-
Use listprincs to view a list of principals
-
Use getprinc to view principal details
-
Use the delprinc command to delete a principal
-
Use the klist command to view the certificate cache
-
Destroy the cache with the kdestroy command
4 Case Practice
We use the administrator user (jerry/admin) created earlier, and use the kadmin command to add some principals.
1) First we need to get a ticket for jerry/ [email protected] principal
kinit jerry/admin
A password is required in the middle
First, start the kdc service:
[root@kdcserver ~]# krb5kdc
[root@kdcserver ~]# kadmindOtherwise, an error will be reported: kinit: Cannot contact any KDC for realm 'MYTRAIN.COM' while getting initial credentials
2) Log in to the kadmin management server
kadmin
Still need to enter the password in the middle
3) Add ordinary user mary
kadmin prompt: addprinc mary
In the middle, you need to set a password for mary
4) Check the principal to confirm that mary is added successfully
kadmin prompt: listprincs
5) Display principal details
kadmin prompt: getprinc [email protected]
6) Delete the specified subject
kadmin prompt: delprinc [email protected]
After deleting the principal, you can use listprincs to verify the deletion.
7) View the certificate cache
After the user logs in successfully, the user's certificate will be stored locally. Use the klist command to view the current user's certificate cache
clist
illustrate:
-
The certificate is cached in the /tmp directory
-
The current default principal is: jerry/[email protected]
-
Lists validity period and service subject (krbtgt/ [email protected] )
8) Destroy the credential cache
kdestroy
klist
The certificate cache is destroyed when viewing is used again .
5 Case Analysis
About kadmin.local and kadmin
-
kadmin.local
-
Only the root user of the machine where the Kerberos database is located is allowed to execute. To remotely manage the Kerberos database, you need to use kadmin
-
-
kadmin
-
Daemon that allows remote connections and manages Kerberos databases
-
The permissions for remote access to the Kerberos database are set in the kadm5.acl file
-
When the remote client uses the kadmin command, it must first pass Kerberos authentication. If it needs to access the database, it needs to use the permissions in kadmin5.acl
-
6 Case summary
-
User principals are stored in the Kerberos database
-
Use a user with administrator privileges to perform CRUD operations on ordinary user principals