首页 > 其他分享 >kerberos部署配置

kerberos部署配置

时间:2024-12-02 15:12:39浏览次数:6  
标签:配置 keytab cts 部署 kerberos etc COM EXAMPLE principal

环境

  • OS: Rocky Linux 9.4
  • Hostname: ozone.example.com

部署

dnf install krb5-server krb5-workstation -y

配置

  1. /etc/krb5.conf
includedir /etc/krb5.conf.d/

# 记录kerberos库、kdc、kadmin日志
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

# 整个kerberos组件相关的默认配置
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
dns_canonicalize_hostname = false
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
qualify_shortname = ""
default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}

# 配置realm中kdc、kadmin对应的host地址
[realms]
EXAMPLE.COM = {
  kdc = ozone.example.com
    admin_server = ozone.example.com
}

# 域名或host映射的realm
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
  1. /var/kerberos/krb5kdc/kdc.conf
# kdc是整个Kerberos网络的核心,它存储了所有principal的账号数据,
# 并对principal的请求,进行认证,与Principal之间的访问票据分发。

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
spake_preauth_kdc_challenge = edwards25519

# 该kdc管理的realm的相关配置
[realms]
EXAMPLE.COM = {
  master_key_type = aes256-cts-hmac-sha384-192
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    default_principal_flags = +preauth
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
    # Supported encryption types for FIPS mode:
    #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
}
  1. /var/kerberos/krb5kdc/kadm5.acl
# 拥有管理kdc的数据库权限的名单
*/admin@EXAMPLE.COM *

初始化

# 创建kdc数据库
[root@ozone ~]# kdb5_util create -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

# 数据存储在/var/kerberos/krb5kdc/principal文件中
[root@ozone ~]# cd /var/kerberos/krb5kdc/
[root@ozone krb5kdc]# ls
kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@ozone krb5kdc]#

添加管理账户

[root@ozone krb5kdc]# kadmin.local addprinc root/admin@EXAMPLE.COM
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
[root@ozone krb5kdc]#

启动服务

# 启动kdc服务
systemctl start krb5kdc
# 启动kadmin服务
systemctl start kadmin
# 配置开机服务自启
systemctl enable krb5kdc
systemctl enable kadmin

添加主体

[root@ozone ~]# kadmin.local -q "addprinc -randkey scm/scm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for scm/scm@EXAMPLE.COM; defaulting to no policy
Principal "scm/scm@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey om/om@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for om/om@EXAMPLE.COM; defaulting to no policy
Principal "om/om@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey dn/dn@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for dn/dn@EXAMPLE.COM; defaulting to no policy
Principal "dn/dn@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey s3g/s3g@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for s3g/s3g@EXAMPLE.COM; defaulting to no policy
Principal "s3g/s3g@EXAMPLE.COM" created.
[root@ozone ~]#

生成keytab

[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/om.service.keytab om/om@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/scm.service.keytab scm/scm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/dn.service.keytab dn/dn@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/s3g.service.keytab s3g/s3g@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
[root@ozone ~]#

客户端

  1. 安装客户端软件
dnf install krb5-workstation
  1. 拷贝配置/etc/krb5.conf

kadmin和kadmin.local的区别

  • kadmin 是通过访问kadmin server进程,来实现对Kdc中的principal进行管理;
  • kadmin.local是在kdc所在的服务器上,直接访问kdc的数据库,它不依赖kadmin server,只要kdc数据库创建后,即可进行操作。

标签:配置,keytab,cts,部署,kerberos,etc,COM,EXAMPLE,principal
From: https://www.cnblogs.com/longtds/p/18581919

相关文章

  • apache ozone配置(包含Kerberos认证)
    环境说明采用docker+compose方式运行Ozone镜像选择apache/ozone:1.4.0kerberos部署于宿主机上(RockyLinux9.4)宿主机主机名:ozone.example.com,ip:192.168.121.128部署配置Kerberos部署Kerberos配置记录Kerberos配置/etc/krb5.conf#/etc/krb5.confincludedir/etc/......
  • 基于SpringBoot的中小企业设备管理系统的设计与实现(源码+SQL脚本+LW+部署讲解等)
    专注于大学生项目实战开发,讲解,毕业答疑辅导,欢迎高校老师/同行前辈交流合作✌。技术范围:SpringBoot、Vue、SSM、HLMT、小程序、Jsp、PHP、Nodejs、Python、爬虫、数据可视化、安卓app、大数据、物联网、机器学习等设计与开发。主要内容:免费功能设计、开题报告、任务书、中......
  • 基于SpringBoot的论坛网站系统的设计与实现(源码+SQL脚本+LW+部署讲解等)
    专注于大学生项目实战开发,讲解,毕业答疑辅导,欢迎高校老师/同行前辈交流合作✌。技术范围:SpringBoot、Vue、SSM、HLMT、小程序、Jsp、PHP、Nodejs、Python、爬虫、数据可视化、安卓app、大数据、物联网、机器学习等设计与开发。主要内容:免费功能设计、开题报告、任务书、中......
  • ansible自动化运维(一)配置主机清单
    目录一、介绍1.1了解自动化运维1.2ansible简介1.3ansible自动化运维的优势1.4ansible架构图二、部署ansible2.1基本参数2.2Ansible帮助命令2.3配置主机清单2.3.1查看ansible的所有配置文件2.3.2/etc/ansible/ansible.cfg常用配置选项2.3.3ssh密码登录2.......
  • SSM酒店管理系统81279(程序+源码+数据库+调试部署+开发环境)
    本系统(程序+源码+数据库+调试部署+开发环境)带论文文档1万字以上,文末可获取,系统界面在最后面。系统程序文件列表开题报告内容一、项目背景随着旅游业的蓬勃发展,酒店业竞争日益激烈。为提高酒店运营效率,提升客户体验,开发一套高效、智能的酒店管理系统显得尤为重要。该系统旨......
  • SSM奖学金申报及评定系统平台(程序+源码+数据库+调试部署+开发环境)
    本系统(程序+源码+数据库+调试部署+开发环境)带论文文档1万字以上,文末可获取,系统界面在最后面。系统程序文件列表开题报告内容一、项目背景随着教育信息化的不断发展,传统的奖学金申报及评定方式已难以满足现代高校管理的需求。传统方式存在评定效率低下、信息不准确、过程不......
  • SSM家政服务平台的设计与实现b2uu0--(程序+源码+数据库+调试部署+开发环境)
    本系统(程序+源码+数据库+调试部署+开发环境)带论文文档1万字以上,文末可获取,系统界面在最后面。系统程序文件列表开题报告内容一、课题背景随着生活节奏的加快,家政服务已成为现代家庭不可或缺的一部分。然而,传统家政服务市场存在信息不对称、服务质量参差不齐等问题。因此,设......
  • MSTP多实例配置
    一、组网说明        网络中的4台交换机运行MSTP。其中SWA做为Vlan10,20的根桥,SWB做为Vlan30,40的根桥。二、组网图三、配置步骤        SWA的配置        #配置MSTP,并创建MSTP多实例switch(config)#spanning-treeswitch(config)#spanning-t......
  • 项目搭建04 配置stylelint
    stylelint为css的lint工具。可格式化css代码,检查css语法错误与不合理的写法,指定css书写顺序等。1)安装pnpmaddsasssass-loaderstylelintpostcsspostcss-scsspostcss-htmlstylelint-config-prettierstylelint-config-recess-orderstylelint-config-recommended-scs......
  • og4j2配置
    原文链接:https://blog.csdn.net/qq_35687379/article/details/131649416 文章详细介绍了Log4j2的配置,包括缺省配置文件、配置节点说明以及不同类型的Appenders(如Console、File、RollingFile)的用法。Loggers部分讲解了Root和Logger的日志级别设置。示例展示了如何定义控制台和......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99