如何在 CentOS/RHEL 7 中安装和配置 Kerberos-之路教程

←如何在 CentOS/RHEL 6,7 中安装和配置 Device Mapper Multipath

如何在 CentOS/RHEL 7 中安装和配置 Kerberos

欢迎 on it road

Kerberos V5 的配置

安装 krb5-libs、krb5-server 和 krb5-workstation 包
编辑 /etc/krb5.conf 和 /var/kerberos/krb5kdc/kdc.conf 以反映领域名称和域到领域的映射。
一个简单的领域可以通过用域名替换EXAMPLE.COM 和example.com 的实例（确保保持相同的大小写）并将kerberos.example.com 更改为服务器的完全限定主机名来构建。

例如：

# cat /etc/krb5.conf
[logging]                                  
 default = FILE:/var/log/krb5libs.log      
 kdc = FILE:/var/log/krb5kdc.log           
 admin_server = FILE:/var/log/kadmind.log  

[libdefaults]                              
 ticket_lifetime = 24000                   
 default_realm = UK.ORACLE.COM             

[realms]                                   
 UK.ORACLE.COM = {                         
  kdc = ukp9174.uk.oracle.com:88           
  admin_server = ukp9174.uk.oracle.com:749 
  default_domain = uk.oracle.com           
 }                                         

[domain_realm]                             
 .uk.oracle.com = UK.ORACLE.COM            
 uk.oracle.com = UK.ORACLE.COM             

[kdc]                                      
 profile = /var/kerberos/krb5kdc/kdc.conf  
[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]                                                                   
 kdc_ports = 88                                                                 
 acl_file = /var/kerberos/krb5kdc/kadm5.acl                                     
 dict_file = /usr/dict/words                                                    
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab                              

[realms]                                                                        
 UK.ORACLE.COM = {                                                              
  master_key_type = des-cbc-crc                                                 
  database_name = /var/kerberos/krb5kdc/principal                               
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab                             
  supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:norm
al des-cbc-crc:v4 des-cbc-crc:afs3                                              
  kadmind_port = 749                                                            
  acl_file = /var/kerberos/krb5kdc/kadm5.acl                                    
  dict_file = /usr/dict/words                                                   
 }

编辑 /var/kerberos/krb5kdc/kadm5.acl 以确定哪些主体可以访问 kerberos 数据库

# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@UK.ORACLE.COM *

使用 kdb5_util 命令创建 kerberos 数据库：

# kdb5_util create -s 

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'UK.ORACLE.COM', 
 master key name 'K/M@UK.ORACLE.COM' 
 You will be prompted for the database Master Password. 
 It is important that you NOT FORGET this password. 
 Enter KDC database master key: admin 
 Re-enter KDC database master key to verify: admin

启动 Kerberos 服务：

# service krb5kdc start 
 Starting Kerberos 5 KDC:                                   [  OK  ]

# service kadmin start 
  Extracting kadm5 Service Keys 
  Authenticating as principal root/admin@UK.ORACLE.COM with password. 
  Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to 
  keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. 
  Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode raw added to 
  keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. 
  Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added 
  to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. 
  Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode raw added 
  to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. 
                                                             [  OK  ] 
  Starting Kerberos 5 Admin Server                           [  OK  ]

# service krb524 start 
  Starting Kerberos 5-to-4 Server:                           [  OK  ]

添加 Kerberos 主体：

# kadmin.local 
  Authenticating as principal root/admin@UK.ORACLE.COM with password. 
> kadmin.local:  addprinc host/ukp9174.uk.oracle.com 
  WARNING: no policy specified for host/ukp9174.uk.oracle.com@UK.ORACLE.COM; defaulting to no policy 
  Enter password for principal "host/ukp9174.uk.oracle.com@UK.ORACLE.COM":    admin 
  Re-enter password for principal "host/ukp9174.uk.oracle.com@UK.ORACLE.COM":  admin 
  Principal "host/ukp9174.uk.oracle.com@UK.ORACLE.COM" created.

请注意，host 是单词“host”而不是服务器的主机名，ukp9174.uk.oracle.com 是服务器的完全限定主机名。

> kadmin.local: addprinc root
WARNING: no policy specified for root@UK.ORACLE.COM; defaulting to no policy 
  Enter password for principal "root@UK.ORACLE.COM":    admin 
  Re-enter password for principal "root@UK.ORACLE.COM":  admin 
  Principal "root@UK.ORACLE.COM" created.

将主机添加到密钥表：

# kadmin.local:  ktadd -k /etc/krb5.keytab host/ukp9174.uk.oracle.com 
  Entry for principal host/ukp9174.uk.oracle.com with kvno 2, encryption type DES cbc mode with CRC-32 
  added to keytab WRFILE:/etc/krb5.keytab. 
  Entry for principal host/ukp9174.uk.oracle.com with kvno 2, encryption type Triple DES cbc mode raw 
  added to keytab WRFILE:/etc/krb5.keytab. 
>  kadmin.local:  exit

测试可以拿到票：

# kinit 
Password for root@UK.ORACLE.COM: admin

证明你有票：

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@UK.ORACLE.COM
Valid starting     Expires            Service principal
01/02/01 11:14:15  01/02/01 21:14:15  krbtgt/UK.ORACLE.COM@UK.ORACLE.COM
Kerberos 4 ticket cache: /tmp/tkt0

日期：2020-09-17 00:12:31 来源：oir作者：oir

←如何在 CentOS/RHEL 6,7 中安装和配置 Device Mapper Multipath

如何在 CentOS/RHEL 中安装和配置 Samba→

Kerberos V5 的配置

目录