快速搭建Kerberos服務端及入門使用
快速搭建Kerberos服務端及入門使用
html
做者:尹正傑node
版權聲明:原創做品,謝絕轉載!不然將追究法律責任。mysql
Kerberos是一種網絡身份驗證協議。它旨在經過使用祕密密鑰加密爲客戶端/服務器應用程序提供強身份驗證。麻省理工學院能夠免費實施該協議。Kerberos也可用於許多商業產品。 web
儘管有許多配置參數和設置,但配置一個受Kerberos管理的Hadoop集羣仍是至關簡單的。只要清楚地瞭解在前面部分中介紹的Kerberos概念,就能夠自信地使用Kerberos來保護集羣。sql
總之,Kerberos是解決您的網絡安全問題的解決方案。它經過網絡提供身份驗證和強大加密工具,幫助您保護整個企業的信息系統。kerberos的官方地址:http://web.mit.edu/kerberos/。shell
一.搭建Kerberos服務器(node101.yinzhengjie.org.cn)數據庫
博主推薦閱讀: Kerberos的發佈頁面:https://kerberos.org/dist/index.html Kerberos的官方文檔:http://web.mit.edu/kerberos/krb5-1.17/doc/index.html Oracle相關的Kerberos文檔:https://docs.oracle.com/cd/E26926_01/html/E25889/intro-1.html#scrolltoc 咱們能夠從MIT網站上下載最新版本的Kerberos,發佈日期爲:2019-01-08,即krb5-1.17.tar.gz。下載下來解壓後可使用編譯方式安裝,咱們這裏爲了方便操做,就直接使用yum方式安裝,一步到位,怎麼簡單怎麼來~ 要配置Kerberos身份進行驗證,就必須先安裝和配置Kerberos。此配置須要在使用Kerberos調整Hadoop集羣配置前完成。 首先安裝Kerberos軟件,這意味着在一個集羣節點上安裝KDC。而後,在全部集羣節點上安裝Kerberos客戶端。 配置Kerberos意味着配置KDC管理的各個方面,ticket的生命週期等。在此過程當中,能夠建立域,用戶和服務主體,並開始爲Kerberos身份驗證調整集羣配置。 主節點上安裝Kerberos的步驟以下所示:
1>.安裝KDC 服務器緩存
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-lib krb5-workstation Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 mysql-connectors-community | 2.5 kB 00:00:00 mysql-tools-community | 2.5 kB 00:00:00 mysql56-community | 2.5 kB 00:00:00 updates | 3.4 kB 00:00:00 zabbix | 2.9 kB 00:00:00 zabbix-non-supported | 951 B 00:00:00 mysql-connectors-community/x86_64/primary_db | 41 kB 00:00:00 No package krb5-lib available. Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.15.1-37.el7_6 will be installed --> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_6 for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5srv_mit.so.11(kadm5srv_mit_11_MIT)(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-37.el7_6.x86_64 mysql-connectors-community/x86_64/filelists_db | 54 kB 00:00:00 mysql-tools-community/x86_64/filelists_db | 158 kB 00:00:00 mysql56-community/x86_64/filelists_db | 732 kB 00:00:01 zabbix/x86_64/filelists_db | 46 kB 00:00:00 zabbix-non-supported/x86_64/filelists | 660 B 00:00:00 --> Processing Dependency: libkadm5srv_mit.so.11()(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11()(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Running transaction check ---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated ---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update ---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed ---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed ---> Package words.noarch 0:3.0-22.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================ Installing: krb5-server x86_64 1.15.1-37.el7_6 updates 1.0 M krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Installing for dependencies: libkadm5 x86_64 1.15.1-37.el7_6 updates 178 k libverto-libevent x86_64 0.2.5-4.el7 base 8.9 k words noarch 3.0-22.el7 base 1.4 M Updating for dependencies: krb5-libs x86_64 1.15.1-37.el7_6 updates 803 k Transaction Summary ============================================================================================================================================================================================ Install 2 Packages (+3 Dependent packages) Upgrade ( 1 Dependent package) Total download size: 4.2 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/6): krb5-libs-1.15.1-37.el7_6.x86_64.rpm | 803 kB 00:00:00 (2/6): krb5-server-1.15.1-37.el7_6.x86_64.rpm | 1.0 MB 00:00:01 (3/6): libkadm5-1.15.1-37.el7_6.x86_64.rpm | 178 kB 00:00:00 (4/6): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 (5/6): libverto-libevent-0.2.5-4.el7.x86_64.rpm | 8.9 kB 00:00:00 (6/6): words-3.0-22.el7.noarch.rpm | 1.4 MB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.4 MB/s | 4.2 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : krb5-libs-1.15.1-37.el7_6.x86_64 1/7 Installing : libkadm5-1.15.1-37.el7_6.x86_64 2/7 Installing : words-3.0-22.el7.noarch 3/7 Installing : libverto-libevent-0.2.5-4.el7.x86_64 4/7 Installing : krb5-server-1.15.1-37.el7_6.x86_64 5/7 Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 6/7 Cleanup : krb5-libs-1.15.1-34.el7.x86_64 7/7 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/7 Verifying : krb5-libs-1.15.1-37.el7_6.x86_64 2/7 Verifying : libkadm5-1.15.1-37.el7_6.x86_64 3/7 Verifying : libverto-libevent-0.2.5-4.el7.x86_64 4/7 Verifying : krb5-server-1.15.1-37.el7_6.x86_64 5/7 Verifying : words-3.0-22.el7.noarch 6/7 Verifying : krb5-libs-1.15.1-34.el7.x86_64 7/7 Installed: krb5-server.x86_64 0:1.15.1-37.el7_6 krb5-workstation.x86_64 0:1.15.1-37.el7_6 Dependency Installed: libkadm5.x86_64 0:1.15.1-37.el7_6 libverto-libevent.x86_64 0:0.2.5-4.el7 words.noarch 0:3.0-22.el7 Dependency Updated: krb5-libs.x86_64 0:1.15.1-37.el7_6 Complete! [root@node101.yinzhengjie.org.cn ~]#
2>.修改KDC的配置文件 安全
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] YINZHENGJIE.COM = { master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } [root@node101.yinzhengjie.org.cn ~]# 以上參數說明: [kdcdefaults]
該部分包含在此文件中列出的全部通用的配置。 kdc_ports :指定KDC的默認端口。 kdc_tcp_ports :指定KDC的TCP協議默認端口。 [realms]
該部分列出每一個領域的配置。 YINZHENGJIE.COM : 是設定的 realms。名字隨意,推薦爲大寫!,但須與/etc/krb5.conf保持一致。Kerberos 能夠支持多個 realms,會增長複雜度。大小寫敏感。 master_key_type : 默認爲禁用,但若是須要256爲加密,則能夠下載Java加密擴展(JCE)並安裝。禁用此參數時,默認使用128位加密。 acl_file : 標註了 admin 的用戶權限的文件,若文件不存在,須要用戶本身建立。即該參數容許爲具備對Kerberos數據庫的管理訪問權限的UPN指定ACL。 supported_enctypes : 指定此KDC支持的各類加密類型。 admin_keytab : KDC 進行校驗的 keytab。
max_life : 該參數指定若是指定爲2天。這是票據的最長存活時間。
max_renewable_life : 該參數指定在多長時間內可重獲取票據。
dict_file : 該參數指向包含潛在可猜想或可破解密碼的文件。
3>.配置KDC服務的權限管理文件服務器
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl #咱們指定*/admin@YINZHENGJIE.COM用戶爲管理員用戶!擁有所有權限,注意這個通配符「*」,你懂的。 */admin@YINZHENGJIE.COM * [root@node101.yinzhengjie.org.cn ~]#
以上參數說明:
上述參數只有兩列,第一列爲用戶名,第二列爲權限分配。文件格式是:Kerberos_principal permissions [target_principal] [restrictions],下面是對上面的文件編寫參數說明。
*/admin@YINZHENGJIE.COM :表示以"/admin@YINZHENGJIE.COM"結尾的用戶。
* :表示UNP能夠執行任何操做,由於權限爲全部權限,所以第二個「*」和第一個「*」區別但願你們必定要弄明白喲~
4.修改Kerberos的配置文件信息(包含KDC的位置,Kerberos的admin的realms 等。須要全部使用的Kerberos的機器上的配置文件都同步。)
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = YINZHENGJIE.COM #default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node101.yinzhengjie.org.cn:88 admin_server = node101.yinzhengjie.org.cn:749 default_domain = YINZHENGJIE.COM } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [root@node101.yinzhengjie.org.cn ~]# 以上相關配置參數說明: [logging]: Kerberos守護進程的日誌記錄方式。換句話說,表示 server 端的日誌的打印位置。 default :默認的krb5libs.log日誌文件存放路徑 kdc :默認的krb5kdc.log日誌文件存放路徑 admin_server :默認的kadmind.log日誌文件存放路徑 [libdefaults]: Kerberos使用的默認值,當進行身份驗證而未指定Kerberos域時,則使用default_realm參數指定的Kerberos域。即每種鏈接的默認配置,須要注意如下幾個關鍵的配置: dns_lookup_realm :DNS查找域名,咱們能夠理解爲DNS的正向解析,該功能我沒有去驗證過,默認禁用。(我猜想該功能和domain_realm配置有關) ticket_lifetime :憑證生效的時限,設置爲7天。 rdns :我理解是和dns_lookup_realm相反,即反向解析技術,該功能我也沒有去驗證過,默認禁用便可。(我猜想該功能和domain_realm配置有關) pkinit_anchors :在KDC中配置pkinit的位置,該參數的具體功能我沒有作進一步驗證。 default_realm = YINZHENGJIE.COM :設置 Kerberos 應用程序的默認領域。若是您有多個領域,只需向 [realms] 節添加其餘的語句。其中YINZHENGJIE.COM能夠爲任意名字,推薦爲大寫。必須跟要配置的realm的名稱一致。 default_ccache_name: :顧名思義,默認的緩存名稱,不推薦使用該參數。 renew_lifetime :憑證最長能夠被延期的時限,通常爲7天。當憑證過時以後,對安全認證的服務的後續訪問則會失敗。 forwardable :若是此參數被設置爲true,則能夠轉發票據,這意味着若是具備TGT的用戶登錄到遠程系統,則KDC能夠頒發新的TGT,而不須要用戶再次進行身份驗證。 renewable :是否容許票據延遲 [realms]: 域特定的信息,例如域的Kerberos服務器的位置。可能有幾個,每一個域一個。能夠爲KDC和管理服務器指定一個端口。若是沒有配置,則KDC使用端口88,管理服務器使用749。即列舉使用的 realm域。 kdc :表明要KDC的位置。格式是 機器:端口 admin_server :表明admin的位置。格式是 機器:端口 default_domain :顧名思義,指定默認的域名。 [domain_realm]: 指定DNS域名和Kerberos域名之間映射關係。指定服務器的FQDN,對應的domain_realm值決定了主機所屬的域。 [kdc]: kdc的配置信息。即指定kdc.conf的位置。 profile :kdc的配置文件路徑,默認值下若無文件則須要建立。
5>.初始化KDC數據庫
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s #注意,-s選項指定將數據庫的主節點密鑰存儲在文件中,從而能夠在每次啓動KDC時自動從新生成主節點密鑰。記住主密鑰,稍後回使用。 Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: #這裏須要輸入一個管理KDC服務器的密碼!千萬別忘記了,忘記的話你就只能從新初始化KDC數據庫啦!(若是遇到數據庫已經存在的提示,能夠把/var/kerberos/krb5kdc/目錄下的principal的相關文件都刪除掉。默認的數據庫名字都是principal。可使用-d指定數據庫名字。) Re-enter KDC database master key to verify: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File exists while creating database '/var/kerberos/krb5kdc/principal' [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# rm -f /var/kerberos/krb5kdc/principal* [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll -a /var/kerberos/krb5kdc/ #當咱們建立Kerberos數據庫成功後,默認會在該目錄下建立如下5個文件,我用粉色的顏色標記出來啦~ total 36 drwxr-xr-x 2 root root 4096 May 30 16:26 . drwxr-xr-x. 4 root root 4096 May 30 16:20 .. -rw------- 1 root root 80 May 30 16:26 .k5.YINZHENGJIE.COM #存儲文件k5.YINZHENGJIE.COM,它默認是隱藏文件喲~ -rw------- 1 root root 26 May 30 16:25 kadm5.acl #定義管理員權限的配置文件 -rw------- 1 root root 422 May 30 16:25 kdc.conf #KDC的主配置文件 -rw------- 1 root root 8192 May 30 16:26 principal #Kerberos數據庫文件 -rw------- 1 root root 8192 May 30 16:26 principal.kadm5 #Kerberos數據庫管理文件 -rw------- 1 root root 0 May 30 16:26 principal.kadm5.lock #數據庫鎖管理文件 -rw------- 1 root root 0 May 30 16:26 principal.ok #Kerberos數據庫文件 [root@node101.yinzhengjie.org.cn ~]#
6>.啓動KDC服務器
[root@node101.yinzhengjie.org.cn ~]# systemctl enable krb5kdc Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2019-04-30 17:37:38 CST; 1s ago Process: 5292 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) Main PID: 5293 (krb5kdc) CGroup: /system.slice/krb5kdc.service └─5293 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid Apr 30 17:37:38 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC... Apr 30 17:37:38 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC. [root@node101.yinzhengjie.org.cn ~]#
7>.啓動Kerberos服務器
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin ● kadmin.service - Kerberos 5 Password-changing and Administration Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled) Active: inactive (dead) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl enable kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin ● kadmin.service - Kerberos 5 Password-changing and Administration Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2019-04-30 17:40:13 CST; 2s ago Process: 5361 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=0/SUCCESS) Main PID: 5363 (kadmind) CGroup: /system.slice/kadmin.service └─5363 /usr/sbin/kadmind -P /var/run/kadmind.pid Apr 30 17:40:13 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 Password-changing and Administration... Apr 30 17:40:13 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 Password-changing and Administration. [root@node101.yinzhengjie.org.cn ~]#
8>.KDC 服務器上添加超級管理員帳戶
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: addprinc root/admin #咱們爲KDC添加一個管理員用戶,關於管理員規則咱們以及在"/var/kerberos/krb5kdc/kadm5.acl"中定義的。細心的小夥伴發現,咱們寫的是"root/admin",可是建立用戶卻顯示的是"root@admin@YINZHENGJIE.COM" WARNING: no policy specified for root/admin@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "root/admin@YINZHENGJIE.COM": Re-enter password for principal "root/admin@YINZHENGJIE.COM": Principal "root/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/admin@YINZHENGJIE.COM kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]#
二.搭建Kerberos客戶端環境
1>.客戶端安裝
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-lib krb5-workstation Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 zabbix | 2.9 kB 00:00:00 zabbix-non-supported | 951 B 00:00:00 No package krb5-lib available. Resolving Dependencies --> Running transaction check ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_6 for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5srv_mit.so.11(kadm5srv_mit_11_MIT)(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5srv_mit.so.11()(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11()(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Running transaction check ---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated ---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update ---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================ Installing: krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Installing for dependencies: libkadm5 x86_64 1.15.1-37.el7_6 updates 178 k Updating for dependencies: krb5-libs x86_64 1.15.1-37.el7_6 updates 803 k Transaction Summary ============================================================================================================================================================================================ Install 1 Package (+1 Dependent package) Upgrade ( 1 Dependent package) Total download size: 1.8 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/3): krb5-libs-1.15.1-37.el7_6.x86_64.rpm | 803 kB 00:00:00 (2/3): libkadm5-1.15.1-37.el7_6.x86_64.rpm | 178 kB 00:00:00 (3/3): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.1 MB/s | 1.8 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : krb5-libs-1.15.1-37.el7_6.x86_64 1/4 Installing : libkadm5-1.15.1-37.el7_6.x86_64 2/4 Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 3/4 Cleanup : krb5-libs-1.15.1-34.el7.x86_64 4/4 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/4 Verifying : krb5-libs-1.15.1-37.el7_6.x86_64 2/4 Verifying : libkadm5-1.15.1-37.el7_6.x86_64 3/4 Verifying : krb5-libs-1.15.1-34.el7.x86_64 4/4 Installed: krb5-workstation.x86_64 0:1.15.1-37.el7_6 Dependency Installed: libkadm5.x86_64 0:1.15.1-37.el7_6 Dependency Updated: krb5-libs.x86_64 0:1.15.1-37.el7_6 Complete! [root@node103.yinzhengjie.org.cn ~]#
2>.將服務端的配置文件拷貝到客戶端上
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/ krb5.conf 100% 711 2.2MB/s 00:00 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ssh node103.yinzhengjie.org.cn Last login: Tue Apr 30 17:44:57 2019 from 172.30.1.2 [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = YINZHENGJIE.COM #default_ccache_name = KEYRING:persistent:%{uid} [realms] YINZHENGJIE.COM = { kdc = node101.yinzhengjie.org.cn:88 admin_server = node101.yinzhengjie.org.cn:749 default_domain = YINZHENGJIE.COM } [domain_realm] .yinzhengjie.com = YINZHENGJIE.COM yinzhengjie.com = YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]#
3>. 客戶端配置文件和服務段同步後,進行登錄,驗證是否能夠成功登錄
[root@node103.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# kinit root/admin #咱們在當前終端使用root/admin@YINZHENGJIE.COM用戶登錄成功啦! Password for root/admin@YINZHENGJIE.COM: [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root/admin@YINZHENGJIE.COM Valid starting Expires Service principal 04/30/2019 18:29:43 05/01/2019 18:29:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]#
三.Kerberos 一些基本操做命令
1>.使用kadmin.local命令進入本地管理員模式
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: ? #輸入「?」能夠查看命令列表,以下所示所示。 Available kadmin.local requests: add_principal, addprinc, ank Add principal delete_principal, delprinc Delete principal modify_principal, modprinc Modify principal rename_principal, renprinc Rename principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincs List principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpols List policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock purgekeys Purge previously retained old keys from a principal get_strings, getstrs Show string attributes on a principal set_string, setstr Set a string attribute on a principal del_string, delstr Delete a string attribute on a principal list_requests, lr, ? List available requests. quit, exit, q Exit program. kadmin.local:
2>. 查看已經存在的憑據
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
3>.建立憑據
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: addprinc -randkey hdfs/node101.yinzhengjie.org.cn WARNING: no policy specified for hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy Principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/master@YINZHENGJIE.COM kadmin.local: kadmin.local: addprinc -pw 123456 jason/admin WARNING: no policy specified for jason/admin@YINZHENGJIE.COM; defaulting to no policy Principal "jason/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM jason/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/master@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit jason/admin Password for jason/admin@YINZHENGJIE.COM: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: jason/admin@YINZHENGJIE.COM Valid starting Expires Service principal 05/07/2019 16:28:35 05/08/2019 16:28:35 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
4>.刪除憑據
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: delprinc hdfs/node101.yinzhengjie.org.cn Are you sure you want to delete the principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"? (yes/no): yes Principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
5>.導出某個用戶的keytab證書(使用xst命令或者ktadd命令)
kadmin.local: addprinc -randkey hdfs/node103.yinzhengjie.org.cn WARNING: no policy specified for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy Principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab. kadmin.local:
kadmin.local: xst -k /root/node103.keytab-v2 hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab-v2. kadmin.local: kadmin.local:
[root@node101.yinzhengjie.org.cn ~]# pwd /root [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 8 -rw------- 1 root root 1376 May 5 16:05 node103.keytab -rw------- 1 root root 460 May 5 16:05 node103.keytab-v2 [root@node101.yinzhengjie.org.cn ~]#
kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: xst -norandkey -k /root/my.keytab hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab. kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw------- 1 root root 1286 May 7 16:17 my.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist -k -e -t my.keytab Keytab name: FILE:my.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (des3-cbc-sha1) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (arcfour-hmac) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (des-hmac-sha1) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (des-cbc-md5) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
6>.查看當前客戶端認真用戶
[root@node103.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@YINZHENGJIE.COM Valid starting Expires Service principal 04/30/2019 18:29:43 05/01/2019 18:29:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]#
7>.刪除當前的認證的緩存
[root@node103.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@YINZHENGJIE.COM Valid starting Expires Service principal 04/30/2019 18:29:43 05/01/2019 18:29:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# kdestroy [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node103.yinzhengjie.org.cn ~]#
8>.認證用戶
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: addprinc hdfs/node103.yinzhengjie.org.cn WARNING: no policy specified for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Re-enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab. kadmin.local: kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw------- 1 root root 460 May 5 16:13 node103.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw------- 1 root root 460 May 5 16:13 node103.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit -kt node103.keytab hdfs/node103.yinzhengjie.org.cn [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Valid starting Expires Service principal 05/05/2019 16:17:19 05/06/2019 16:17:19 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Valid starting Expires Service principal 05/05/2019 16:17:19 05/06/2019 16:17:19 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kdestroy [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: kinit: Password incorrect while getting initial credentials [root@node103.yinzhengjie.org.cn ~]# 遇到上述問題的解決方案(緣由:每次生成祕鑰文件時,密碼可能會進行隨機改變,添加"-norandkey"便可解決問題!) kadmin.local: ktadd -k /root/node103.keytab -norandkey hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab. kadmin.local:
[root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Valid starting Expires Service principal 05/05/2019 17:36:30 05/06/2019 17:36:30 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]#
9>.修改Kerberos用戶的密碼
[root@node101.yinzhengjie.org.cn ~]# kpasswd hdfs/node103.yinzhengjie.org.cn Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: #輸入舊密碼 Enter new password: #輸入新密碼,下面須要再次確認密碼 Enter it again: Password changed. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal hdfs/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: kadmin.local: change_password hdfs/node103.yinzhengjie.org.cn Enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Re-enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Password for "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" changed. kadmin.local:
10>.建立憑據並配置其設置密碼
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: addprinc admim/admin #咱們這裏爲KDC添加一個管理員用戶 WARNING: no policy specified for admim/admin@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "admim/admin@YINZHENGJIE.COM": Re-enter password for principal "admim/admin@YINZHENGJIE.COM": Principal "admim/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admim/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
11>.獲取憑據信息
kadmin.local: getprinc hdfs/node103.yinzhengjie.org.cn Principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Expiration date: [never] Last password change: Sun May 05 18:38:15 CST 2019 Password expiration date: [never] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Sun May 05 18:38:15 CST 2019 (hdfs/admin@YINZHENGJIE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 3, aes256-cts-hmac-sha1-96 Key: vno 3, des3-cbc-sha1 Key: vno 3, arcfour-hmac Key: vno 3, des-hmac-sha1 Key: vno 3, des-cbc-md5 MKey: vno 1 Attributes: Policy: [none] kadmin.local:
12>.查看keytab文件中的賬號列表
[root@node101.yinzhengjie.org.cn ~]# klist -ket node103.keytab Keytab name: FILE:node103.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) [root@node101.yinzhengjie.org.cn ~]#
13>.生成dump文件
[root@node101.yinzhengjie.org.cn ~]# ll total 0 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kdb5_util dump ./slava_data [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 12 -rw------- 1 root root 5640 May 7 16:10 slava_data -rw------- 1 root root 1 May 7 16:10 slava_data.dump_ok [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 12 -rw------- 1 root root 5640 May 7 16:10 slava_data -rw------- 1 root root 1 May 7 16:10 slava_data.dump_ok [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat slava_data.dump_ok [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat slava_data kdb5_util load_dump version 7 princ 38 19 3 1 0 K/M@YINZHENGJIE.COM 8388672 86400 0 0 0 0 0 0 8 2 0100 9 8 0100010000000000 2 32 2d23c85c64625f6372656174696f6e4059494e5a48454e474a49452e434f4d00 1 1 18 62 200027f351dbb024cc9544e87b02c87d86c7d80d0610ae4c59c340a69a04db0781b3d94b5611ed20eb9a5ec2b0dc7e1245fac0cdb87295e9180ef910bb5b -1; princ 38 27 4 5 0 admin/admin@YINZHENGJIE.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 31 6c23c85c726f6f742f61646d696e4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 6c23c85c 1 1 18 6220003deb4f098457d84e676bbd3f91278f3cac8306ddf328535c1917bf98690248bc12341cd0a27de4d590fb18f28cb0d226929a4a06a83d244f5a4cbdb5 1 1 16 54 1800715234ed6f50be5336e4369af0f9cefb9d4f177eda96090b7fbca4b8d3ff07964b2a318cf1a777f1e2e76fa206f2b44258457442 1 1 23 46 10004a33deeb70728102e822c55f2c42aa304e705780d8fd30b397275bbbebd3abedf187fffb2204855a09735e1b 1 1 8 38 08001a1fea4a829566f3f23f3cf3db9681920f891798ad5f8644fe5d5b3e1f4f94cd64280273 1 1 3 38 080046301a43121ee80bc1540d9662f9991322c8b5fb15b630033b1de23d587622bec8b0b966 -1; princ 38 47 4 5 0 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 31 17bdce5c686466732f61646d696e4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 17bdce5c 1 3 18 62 2000a27914a2893faf324c36d41d92b2b6cc66de57349f76d4e24eb4d3344616b043d2e68124d2d0c6af19d900cabb13f58c4d7285b002a33944f305ed14 1 3 16 54 180060e43337a724ecfb60790d5d848dfd081c6ba721619b5262c73837ca04a6aa747dcbf861e145d2933107f267bbe8c96590d2b6bc 1 3 23 46 10009507be719a35300d09a6b197124a3bbba94f6ab14ce177b5783965e2d7ddef85c080b5b865e36893e623fe35 1 3 8 38 0800b0957be862834546dacdc5bd72e00553cdca26621570054fe2630d92f18d636ea12b59f9 1 3 3 380800f9ff7956e69506992b4dd15ca75cb5e6f8f2cf2a6ccf68829e060e4b2a1f9a4b397a2f75 -1; princ 38 28 4 5 0 kadmin/admin@YINZHENGJIE.COM 8388612 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 1 18 622000a7007154dab2d522e76038c0fb117c56444b59cb94cfd33d4e934e52e365bb0679f098877090409b41146ceb8f79f407eac9dbe16181fe5bff49e269 1 1 16 54 1800d36c14c38aca14fd2a9961c5f5d330f11a4afb3ccf91b1ef9f4325e285569ede24ec5b3213b3fd5095ba0851946d0e9286cd678d 1 1 23 46 10005947782c3a6209e40e533ea91de7a3c068af0e9753924f11b8293c77e2699d3521e53d82fe75844696f30781 1 1 8 38 080044457a47548115f25c4d6d521236b30820d6ee69633836a9e36142759562f52ed4300920 1 1 3 38 0800be6779e8afe4e3302a888b4f5dcfbe6922a20a47b8369336bf66a0f9d53a7f99ce34c3d5 -1; princ 38 31 4 5 0 kadmin/changepw@YINZHENGJIE.COM 8396804 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 1 18 622000a954e4ff1dcb31de049920a9fb621c387733892be4fc44326511037c316e81e704d241662b8d17f007411181a434d276012e232e012c48c2a25c0801 1 1 16 54 1800eb302773f9f77e7d4836a8494ad381a66f5dbf300d932d68dfcdcae2ac1522ad9083b779244aa009e15af3532c1057e1ba75e4a4 1 1 23 46 100062701165f26c72370374182c611eaff199e689884402b210808fdfc68185d5bdd8d2c948a0d7f6d386c5fb4a 1 1 8 38 08001b482af030d5f5c49d89e87e39fa350d54e48cb0e3c23c7688f02540592fcf0e7c34dbd7 1 1 3 38 0800968bd1d3bc8a1103da97fead74f72521bca682858e934a26f584cfcec006a74dfa931271 -1; princ 38 49 4 5 0 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 8388612 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 18 62 20000d1edbb71ba50cfb52191a3f60056b02c6b647b3bddd2365641b5ed274ce75e38226ac815ea7f29f34a3cf7d45457468882556994365aa4567ae8806 1 1 16 54 18002eaf1945ca01022fbb4395754f019d9e2266437dfd9c525f712f804e0f04d9d2bbdc033adb2bf6e361efb448ddfe2249e9fd748e 1 1 23 46 100013a087c5e95dcc5127979eb347681f58a972d31bbf5ec3e2397de453c076f3e1d4e27a05f29387bb3e7d6d8a 1 1 8 38 0800dde3aadd2c399091eb5d462d2ad7d29cb9be02047a80c9d94d2c7914f9595961ee49329c 1 1 3 38080006a3bb181af166f105beb9e78de8aeb55204d7f6aebb79c03d1bb321b59b6e007641479a -1; princ 38 49 4 5 0 kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 18 62 2000d426113b32e7b511f397fdcc7fafc9abc1ce6aada822d4352c2ea710476db41f731043c80dcf04eadd2a607273efa1a3c9b1a111c31b8483aa62d060 1 1 16 54 180055a62dfe305193d6d0833c897e62e4ea3a36bec996f11e66e4d9bf62d193f1bb1a80151b2e8e18fff121d1698a8d529624956adf 1 1 23 46 10004205e4b7b21c11bcaedfd6098ff08865d3f18260405c8bf2af9a8b5cb6bc80d871c957e4fce79eb786ed60bd 1 1 8 38 08004bc251b9b292174671b35654eef34bb63e6375f6f10766819f478e2d1760ece27fa05ec0 1 1 3 380800c71084e06b93c4c9b82d36a93f30fc51baf23b1071382d7ba70eab96d6048921ab43fe55 -1; princ 38 38 1 6 0 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM 8388608 86400 0 0 0 0 0 0 2 32 2d23c85c64625f6372656174696f6e4059494e5a48454e474a49452e434f4d00 1 1 18 62 2000debfa86947904982fc72598525375374abc4ea880a2a79c20a297cff937e0c6e034dfb5f48494f3f1cf035e117f85dc0062935c0bc0b799bbf4727e0 1 1 16 54 1800842c873c282cc64415704b50085258d6290d6f3ff101669996698fda83931039a90d963d7a786c796ea8e5c4a3d1b7a438086288 1 1 2346 1000cf38c0dbeaec907e938b966f4e8b56aa6c53c2d65ae6ce0977825d3f8cf3d1b536357491e691cd21a62b97e6 1 1 8 38 080034e54b49e6d927ef9b160c8ef72b7fb98fd12be022b441ddceb99294f86e7e8958a78de5 1 1 3 38 08004329becd13a3192dcbb6d48216071fc2d504bd109482b5d139b67b2d5247e9b3c228a06d 1 1 1 38 08005d5ced5cd08fbd6aa8666ffa1b42779c488cbe406734b71ac44117f779a63b0e46f907a7 -1; [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
14>.
15>.
參考連接:
http://www.javashuo.com/article/p-vekswuot-co.html
https://blog.csdn.net/sinat_32176947/article/details/79605499
相關文章
- 1. SpringBoot入門-快速搭建web服務
- 2. django搭建服務端,快速入門(二)
- 3. 使用Docker快速搭建sftp服務
- 4. node 後端服務快速搭建
- 5. rsync服務端快速搭建
- 6. 使用 Nuxt.js 快速搭建服務端渲染(SSR) 應用
- 7. mycat快速搭建入門
- 8. EFCodeFirst快速搭建入門
- 9. rsync服務快速搭建
- 10. 前端 node.js 使用 express 模塊快速搭建 web 服務器
- 更多相關文章...
- • Git 服務器搭建 - Git 教程
- • 服務端腳本 指南 - 網站建設指南
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
- • Java Agent入門實戰(一)-Instrumentation介紹與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 在windows下的虛擬機中,安裝華爲電腦的deepin操作系統
- 2. 強烈推薦款下載不限速解析神器
- 3. 【區塊鏈技術】孫宇晨:區塊鏈技術帶來金融服務的信任變革
- 4. 搜索引起的鏈接分析-計算網頁的重要性
- 5. TiDB x 微衆銀行 | 耗時降低 58%,分佈式架構助力實現普惠金融
- 6. 《數字孿生體技術白皮書》重磅發佈(附完整版下載)
- 7. 雙十一「避坑」指南:區塊鏈電子合同爲電商交易保駕護航!
- 8. 區塊鏈產業,怎樣「鏈」住未來?
- 9. OpenglRipper使用教程
- 10. springcloud請求一次好用一次不好用zuul Name or service not known
歡迎關注本站公眾號,獲取更多信息
