千家信息网

【总结】Centos中,Kerberos安装

发表于:2024-12-13 作者:千家信息网编辑
千家信息网最后更新 2024年12月13日,1、安装软件包安装必须的工具 bison, make, binutils下载压缩包至/usr/local目录下,并解压[root@localhost local]# ls krb5-1.14.tar.
千家信息网最后更新 2024年12月13日【总结】Centos中,Kerberos安装

1、安装软件包

安装必须的工具 bison, make, binutils

下载压缩包至/usr/local目录下,并解压

[root@localhost local]# ls krb5-1.14.tar.gz

krb5-1.14.tar.gz


2、编译Kerberos

切换目录至/krb5-1.14/src

在/krb5-1.14/src文件夹下,


运行configure命令

[root@localhost src]# ./configure --prefix=/usr/local/krb5-1.14

执行make命令

[root@localhost src]# make

执行make install

[root@localhost src]# make install


3、IP及域名配置 /etc/hosts



127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

127.0.0.1 kerberos.example.com kerberos ldap.example.com


4、配置KDC


a、配置krb5.conf

文件说明:(略)

参数说明:(略)

[root@localhost src]# vi /etc/krb5.conf


[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log


[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true


[realms]

EXAMPLE.COM = {

kdc = kerberos

admin_server = kerberos

}


[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

[kdc]

profile = /usr/local/krb5-1.14/var/krb5kdc/kdc.conf



b、在krb5.conf文件制定位置,创建kdc.conf

[root@localhost krb5kdc]# pwd

/usr/local/krb5-1.14/var/krb5kdc

[root@localhost krb5kdc]# vi kdc.conf

文件说明:(略)

参数说明:(略)

[kdcdefaults]

kdc_ports = 88


[realms]

EXAMPLE.COM = {

profile = /etc/krb5.conf

database_name = /usr/local/krb5-1.14/var/krb5kdc/principal

admin_database_name = /usr/local/krb5-1.14/var/krb5kdc/kadm5_adb

admin_database_lockfile = /usr/local/krb5-1.14/var/krb5kdc/kadm5_adb.lock

admin_keytab = FILE:/usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab

acl_file = /usr/local/krb5-1.14/var/krb5kdc/kadm5.acl

key_stash_file = /usr/local/krb5-1.14/var/krb5kdc/.k5stash

kdc_ports = 88

kadmind_port = 749

max_life = 10h 0m 0s

max_renewable_life = 7d 0h 0m 0s

master_key_type = des-cbc-crc

supported_enctypes = des-cbc-crc:normal des:v4

}


创建Kerberos的本地数据库

[root@localhost sbin]# ./kdb5_util create -r EXAMPLE.COM -s

Loading random data

Initializing database '/usr/local/krb5-1.14/var/krb5kdc/principal' for realm 'EXAMPLE.COM',

master key name 'K/M@EXAMPLE.COM'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:

Re-enter KDC database master key to verify:


登录查看kerberos缺省票据

[root@localhost sbin]# ./kadmin.local

Authenticating as principal admin/admin@EXAMPLE.COM with password.

kadmin.local: listprincs

K/M@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/localhost@EXAMPLE.COM

kiprop/localhost@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin.local: q


启动kdc服务

[root@localhost sbin]# ./krb5kdc


5、kadmind配置

5.1本地kadmin.local管理程序提供功能

a、策略管理

策略的增加、删除、修改、查询和统计功能;

add_policy, addpol Add policy

modify_policy, modpol Modify policy

delete_policy, delpol Delete policy

get_policy, getpol Get policy

list_policies, listpols, get_policies, getpols List policies

b、个人账号管理

Principal的增加、删除、修改、查询和统计功能;

add_principal, addprinc, ank

Add principal

delete_principal, delprinc

Delete principal

modify_principal, modprinc

Modify principal

change_password, cpw Change password

get_principal, getprinc Get principal

list_principals, listprincs, get_principals, getprincs List principals

get_privs, getprivs Get privileges

c、程序注册kt管理

Keytable的增加、删除;

ktadd, xst Add entry(s) to a keytab

ktremove, ktrem Remove entry(s) from a keytab

d、锁管理

lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock

e、程序功能

程序命令帮助和退出程序。

list_requests, lr, ? List available requests. quit, exit, q Exit program.


5.2使用kadmin.local管理程序配置

a、增加管理员账号

[root@localhost sbin]# ./kadmin.local

kadmin.local: addprinc admin/admin

WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy

Enter password for principal "admin/admin@EXAMPLE.COM": admin

Re-enter password for principal "admin/admin@EXAMPLE.COM": admin

Principal "admin/admin@EXAMPLE.COM" created.

kadmin.local: listprincs

K/M@EXAMPLE.COM

admin/admin@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/localhost@EXAMPLE.COM

kiprop/localhost@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin.local:

b、测试管理员账号


[root@localhost bin]# ./kinit admin/admin

Password for admin/admin@EXAMPLE.COM: admin

[root@localhost bin]# ./klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin/admin@EXAMPLE.COM


Valid starting Expires Service principal

2016-01-12T14:34:33 2016-01-13T00:34:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM

renew until 2016-01-19T14:34:33


c、为管理员admin/admin指定权限


注:按网上和官方说明kdc.conf中配置 acl_file = /krb5-1.14/var/krb5kdc/kadm5.acl的文件

暂时不知道该文件在哪个步骤生成的

在我以上操作中并没有生成 kadm5.acl文件,于是手动创建,并添加权限


现在为管理账号指定权限,它由文件/usr/local/var/krb5kdc/kadm5.acl中的条目决定。

给账号admin /admin授予"管理所有委托人"的权限,

通过添加下面这样一行到/usr/local/var/krb5kdc/kadm5.acl中,并使用通配符实现:

admin/admin@EXAMPLE.COM *



5.3远程的kadmin管理程序配置


a、创建一个包含秘钥的keytab文件


kadmin.local: ktadd -k /usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab kadmin/changepw

Entry for principal kadmin/changepw with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab.


b、启动kadmind服务

[root@localhost sbin]# pwd

/usr/local/krb5-1.14/sbin

[root@localhost sbin]# ./kadmind

[root@localhost sbin]# ps -ef | grep kadmind

root 17176 1 0 15:24 ? 00:00:00 ./kadmind


0