kerberos部署配置

news/2024/12/2 15:04:44/文章来源:https://www.cnblogs.com/longtds/p/18581919

环境

  • OS: Rocky Linux 9.4
  • Hostname: ozone.example.com

部署

dnf install krb5-server krb5-workstation -y

配置

  1. /etc/krb5.conf
includedir /etc/krb5.conf.d/# 记录kerberos库、kdc、kadmin日志
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log# 整个kerberos组件相关的默认配置
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
dns_canonicalize_hostname = false
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
qualify_shortname = ""
default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}# 配置realm中kdc、kadmin对应的host地址
[realms]
EXAMPLE.COM = {kdc = ozone.example.comadmin_server = ozone.example.com
}# 域名或host映射的realm
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
  1. /var/kerberos/krb5kdc/kdc.conf
# kdc是整个Kerberos网络的核心,它存储了所有principal的账号数据,
# 并对principal的请求,进行认证,与Principal之间的访问票据分发。[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
spake_preauth_kdc_challenge = edwards25519# 该kdc管理的realm的相关配置
[realms]
EXAMPLE.COM = {master_key_type = aes256-cts-hmac-sha384-192acl_file = /var/kerberos/krb5kdc/kadm5.acldict_file = /usr/share/dict/wordsdefault_principal_flags = +preauthadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabsupported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal# Supported encryption types for FIPS mode:#supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
}
  1. /var/kerberos/krb5kdc/kadm5.acl
# 拥有管理kdc的数据库权限的名单
*/admin@EXAMPLE.COM *

初始化

# 创建kdc数据库
[root@ozone ~]# kdb5_util create -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:# 数据存储在/var/kerberos/krb5kdc/principal文件中
[root@ozone ~]# cd /var/kerberos/krb5kdc/
[root@ozone krb5kdc]# ls
kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@ozone krb5kdc]#

添加管理账户

[root@ozone krb5kdc]# kadmin.local addprinc root/admin@EXAMPLE.COM
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
[root@ozone krb5kdc]#

启动服务

# 启动kdc服务
systemctl start krb5kdc
# 启动kadmin服务
systemctl start kadmin
# 配置开机服务自启
systemctl enable krb5kdc
systemctl enable kadmin

添加主体

[root@ozone ~]# kadmin.local -q "addprinc -randkey scm/scm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for scm/scm@EXAMPLE.COM; defaulting to no policy
Principal "scm/scm@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey om/om@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for om/om@EXAMPLE.COM; defaulting to no policy
Principal "om/om@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey dn/dn@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for dn/dn@EXAMPLE.COM; defaulting to no policy
Principal "dn/dn@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey s3g/s3g@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for s3g/s3g@EXAMPLE.COM; defaulting to no policy
Principal "s3g/s3g@EXAMPLE.COM" created.
[root@ozone ~]#

生成keytab

[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/om.service.keytab om/om@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/scm.service.keytab scm/scm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/dn.service.keytab dn/dn@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/s3g.service.keytab s3g/s3g@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
[root@ozone ~]#

客户端

  1. 安装客户端软件
dnf install krb5-workstation
  1. 拷贝配置/etc/krb5.conf

kadmin和kadmin.local的区别

  • kadmin 是通过访问kadmin server进程,来实现对Kdc中的principal进行管理;
  • kadmin.local是在kdc所在的服务器上,直接访问kdc的数据库,它不依赖kadmin server,只要kdc数据库创建后,即可进行操作。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/845445.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

git报错403怎么解决

git报错403怎么解决

Git报错403及解决询问AI主要有以下可能原因:创建SSH:(不要用中文,管理员权限打开PowerShell运行下面的命令,地址可以自定义)ssh-keygen -t rsa -b 4096 -C "2919356315@qq.com" -f "C:/Users/lzh/.ssh/id_rsa"查看SSH:cat C:/Users/lzh/.ssh/id_rsa.p…
阅读更多...
fetch call web api upload or update picture

fetch call web api upload or update picture

昨天C# + html + fetch + API + javascript https://www.cnblogs.com/insus/p/18579193 其中有一个图片相关的功能,现把它解说一下。html页面上,简单的input和button,无需何附加<form action="/action_page_binary.asp" method="post" enctype="…
阅读更多...
长期主义下的一本经济账:卷价格更要卷性能

长期主义下的一本经济账:卷价格更要卷性能

「 不做陪跑者,要做支撑者。企业成长的每个关键时刻,在背后默默发力。」今年以来,云的价格战似乎更猛烈了一些。 事实上,云服务降价在规模与创新两重推动力下早就是一种常态。作为云的鼻祖,亚马逊云经常是一年连续降价十几次甚至几十次。这种理性降价,是将规模红利与创新…
阅读更多...
“天翼云息壤杯”高校AI大赛福建赛区启动!

“天翼云息壤杯”高校AI大赛福建赛区启动!

11月20日,2024首届全国“天翼云息壤杯”高校AI 大赛(福建赛区)正式启动。中国电信福建公司携手华为公司、福建省计算机学会、福建省自动化学会,正式启动天翼云科技有限公司承办的“天翼云息壤杯”高校AI大赛(福建赛区)赛事。该赛事是中国电信搭建的进一步挖掘培养AI人才、…
阅读更多...
从挑战到突破:HBlock定义智算存储新范式!

从挑战到突破:HBlock定义智算存储新范式!

近日,由DOIT传媒主办,中国计算机学会信息存储专委会、武汉光电国家研究中心、百易存储研究院支持的2024中国数据与存储峰会在北京召开。此次峰会以“智数据 AI未来”为主题,天翼云科技有限公司国际业务事业部存储产品线专家肖夏敏代表参会,并发表“轻量级存储集群控制器HBl…
阅读更多...
html2canvas 解决某些站点截图空白问题

html2canvas 解决某些站点截图空白问题

业务场景介绍 点击浏览器右上角已安装的chrome插件图标,这个时候会出现一个界面,我们称这个界面为popup,界面上有个"从页面获取产品信息"按钮,单机它会对当前标签页面内容进行截图,最后将截图的图片转成base64发送至xx接口 部分核心代码解读:截取当前可视区域的…
阅读更多...
领歌看板助力电商大促筹备

领歌看板助力电商大促筹备

每年的“双11”“双12”“618”等大型电商促销活动是各企业的年度重头戏,但涉及环节众多、协作复杂,稍有疏漏就可能影响活动效果。领歌看板为您提供了一种高效、直观的任务管理方式,确保每一步都尽在掌握。 1. 全面覆盖任务场景,理清活动脉络 利用领歌看板,您可以将大促活…
阅读更多...
.NET开发WinForm(C/S)项目整合三种SOA服务访问(直连、WCF、WebAPI)模式

.NET开发WinForm(C/S)项目整合三种SOA服务访问(直连、WCF、WebAPI)模式

在软件开发领域,尤其是企业级应用开发中,灵活性、开放性、可扩展性往往是项目成功的关键因素。对于C/S项目,如何高效地与后端数据库进行交互,以及如何提供多样化的服务访问方式,是开发者需要深入考虑的问题。目前主流的方式就三种:数据库直连、WCF模式、WebAPI模式。RDIF…
阅读更多...
mysql 之查询条件!=或者存在问题,会被轻易忽略而且影响查询结果

mysql 之查询条件!=或者存在问题,会被轻易忽略而且影响查询结果

mysql数据库查询,我们再使用sql条件时会经常使用!=(<>),但使用!=之后,这个字段对应的为空的值不会查出来。所以建议!=长春与is null同时用 查询结果测试如下: 我们先查询满足条件的数据;id上下相同,同时此id的对应的paln_status查询如图是空的: 咱们再来查询总…
阅读更多...
Postman 安装与汉化超详细步骤全解析教程

Postman 安装与汉化超详细步骤全解析教程

下载安装包 首先,我们需要获取 Postman 的安装包。为了方便,链接提供了安装包跟汉化包 点击获取postman安装及汉化包 为什么要提供安装包跟汉化包? 汉化包和postman的版本必须是一致的,如果不一致就会出现汉化后无法打开postman的问题; 注意:如果想要汉化的就不能使用最新…
阅读更多...
文档比对新玩法:从文本细节到逻辑洞察

文档比对新玩法:从文本细节到逻辑洞察

在学术研究和项目管理中,文档的版本对比和差异检查往往是个被低估却至关重要的环节。尤其是在跨学科合作或大型团队中,不同版本的文档往往在细节上存在微妙变化,而这些变化可能直接影响研究结论、策略决策甚至是整个项目的方向。 传统的文档对比工具往往局限于纯文本比对,这…
阅读更多...
有效管理win11系统开机启动项

有效管理win11系统开机启动项

平时如果有你不想随着系统开机就启动的软件,可以通过下面的方式进行设置。个人推荐使用这个办法 1.首先点击开始菜单2.点击“设置”3.再点击左边栏“应用”选项4.然后点击其中的“启动”设置5.选择开关按钮,即可设置启动或禁用
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023