【总结】Centos中,Kerberos安装
1、安装软件包
安装必须的工具 bison, make, binutils
下载压缩包至/usr/local目录下,并解压
[root@localhost local]# ls krb5-1.14.tar.gz
krb5-1.14.tar.gz
2、编译Kerberos
切换目录至/krb5-1.14/src
在/krb5-1.14/src文件夹下,
运行configure命令
[root@localhost src]# ./configure --prefix=/usr/local/krb5-1.14
执行make命令
[root@localhost src]# make
执行make install
[root@localhost src]# make install
3、IP及域名配置 /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 kerberos.example.com kerberos ldap.example.com
4、配置KDC
a、配置krb5.conf
文件说明:(略)
参数说明:(略)
[root@localhost src]# vi /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = kerberos admin_server = kerberos } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [kdc] profile = /usr/local/krb5-1.14/var/krb5kdc/kdc.conf |
b、在krb5.conf文件制定位置,创建kdc.conf
[root@localhost krb5kdc]# pwd
/usr/local/krb5-1.14/var/krb5kdc
[root@localhost krb5kdc]# vi kdc.conf
文件说明:(略)
参数说明:(略)
[kdcdefaults] kdc_ports = 88 [realms] EXAMPLE.COM = { profile = /etc/krb5.conf database_name = /usr/local/krb5-1.14/var/krb5kdc/principal admin_database_name = /usr/local/krb5-1.14/var/krb5kdc/kadm5_adb admin_database_lockfile = /usr/local/krb5-1.14/var/krb5kdc/kadm5_adb.lock admin_keytab = FILE:/usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab acl_file = /usr/local/krb5-1.14/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/krb5-1.14/var/krb5kdc/.k5stash kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:v4 } |
创建Kerberos的本地数据库
[root@localhost sbin]# ./kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/usr/local/krb5-1.14/var/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
登录查看kerberos缺省票据
[root@localhost sbin]# ./kadmin.local
Authenticating as principal admin/admin@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: q
启动kdc服务
[root@localhost sbin]# ./krb5kdc
5、kadmind配置
5.1本地kadmin.local管理程序提供功能
a、策略管理
策略的增加、删除、修改、查询和统计功能;
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols List policies
b、个人账号管理
Principal的增加、删除、修改、查询和统计功能;
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs List principals
get_privs, getprivs Get privileges
c、程序注册kt管理
Keytable的增加、删除;
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
d、锁管理
lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock
e、程序功能
程序命令帮助和退出程序。
list_requests, lr, ? List available requests. quit, exit, q Exit program.
5.2使用kadmin.local管理程序配置
a、增加管理员账号
[root@localhost sbin]# ./kadmin.local
kadmin.local: addprinc admin/admin
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM": admin
Re-enter password for principal "admin/admin@EXAMPLE.COM": admin
Principal "admin/admin@EXAMPLE.COM" created.
kadmin.local: listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/localhost@EXAMPLE.COM
kiprop/localhost@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local:
b、测试管理员账号
[root@localhost bin]# ./kinit admin/admin
Password for admin/admin@EXAMPLE.COM: admin
[root@localhost bin]# ./klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@EXAMPLE.COM
Valid starting Expires Service principal
2016-01-12T14:34:33 2016-01-13T00:34:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2016-01-19T14:34:33
c、为管理员admin/admin指定权限
注:按网上和官方说明kdc.conf中配置 acl_file = /krb5-1.14/var/krb5kdc/kadm5.acl的文件
暂时不知道该文件在哪个步骤生成的
在我以上操作中并没有生成 kadm5.acl文件,于是手动创建,并添加权限
现在为管理账号指定权限,它由文件/usr/local/var/krb5kdc/kadm5.acl中的条目决定。
给账号admin /admin授予"管理所有委托人"的权限,
通过添加下面这样一行到/usr/local/var/krb5kdc/kadm5.acl中,并使用通配符实现:
admin/admin@EXAMPLE.COM *
5.3远程的kadmin管理程序配置
a、创建一个包含秘钥的keytab文件
kadmin.local: ktadd -k /usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab kadmin/changepw Entry for principal kadmin/changepw with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab. |
b、启动kadmind服务
[root@localhost sbin]# pwd
/usr/local/krb5-1.14/sbin
[root@localhost sbin]# ./kadmind
[root@localhost sbin]# ps -ef | grep kadmind
root 17176 1 0 15:24 ? 00:00:00 ./kadmind