基础
系统 Centos 7
目标
mac ==> Kerberos 验证权限,获取ticket
服务器端安装
安装软件
sudo yum install krb5-server krb5-libs pam_krb5 -y
修改配置文件
krb5.conf
提前设置后配置文件中用到的域名解析.
kerberos.yufuid.org ==> 10.0.12.12
sudo vim /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h \\ticket过期时间
renew_lifetime = 7d \\可续期的时间,时间内不需要输入权限,即可续签票证.windows,mac可在用户无感知情况下,完成续期
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YUFUID.ORG \\ 这里需要和下方realms中相同.字段无具体意义,只需要相同即可.
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = false
[realms]
YUFUID.ORG = { \\ 修改次字段,字段无具体意义,只需要相同即可.
kdc = kerberos.yufuid.org \\填写kdc的服务器地址,我们的demo中kerberos和kdc安装在一台服务器上,填写此台服务器ip或者域名.
admin_server = kerberos.yufuid.org \\填写此台服务器ip或者域名
}
[domain_realm]
.yufuid.org = YUFUID.ORG \\ 标准写法,前方是后期需要接入kerberos认证资源的域名.例如: appservice1.yufuid.org需要通过 kerberos进行ssh认证.
yufuid.org = YUFUID.ORG
kdc.conf
kdc是kerberos的数据库,主要存储认证信息
sudo vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
YUFUID.ORG = { \\ 修改次字段,字段无具体意义,只需要相同即可.
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
创建数据库
使用之前realms中的标签字段
创建时设置kdb数据库密码
$ kdb5_util create -s -r YUFUID.ORG
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm
master key name
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_util: Permission denied while creating database '/var/kerberos/krb5kdc/principal'
修改acl
设置可以访问kdb的用户和来源主机
sudo vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@YUFUID.ORG *
初始化数据库
kadmin.local
Authenticating as principal with password.
kadmin.local: addprinc nanzhang
WARNING: no policy specified for defaulting to no policy
Enter password for principal
Re-enter password for principal
Principal created.
# 创建管理员账户
kadmin.local: addprinc root/admin
WARNING: no policy specified for defaulting to no policy
Enter password for principal
Re-enter password for principal
Principal created.
查看nanzhang和管理员 用户
kadmin.local: listprincs
kadmin.local:
启动kerberos服务
sudo systemctl restart krb5kdc.service
sudo systemctl restart kadmin.service
sudo systemctl enable krb5kdc.service
sudo systemctl enable kadmin.service
到此服务器端配置完毕
mac客户端安装
mac版本
10.14.3
修改mac下的ker配置
配置文件内容和服务器/etc/krb5.conf相同,但是没有这一行 "includedir /etc/krb5.conf.d/
"
vim /Library/Preferences/edu.mit.Kerberos
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h \\ticket过期时间
renew_lifetime = 7d \\可续期的时间,时间内不需要输入权限,即可续签票证.windows,mac可在用户无感知情况下,完成续期
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YUFUID.ORG \\ 这里需要和下方realms中相同.字段无具体意义,只需要相同即可.
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = false
[realms]
YUFUID.ORG = { \\ 修改次字段,字段无具体意义,只需要相同即可.
kdc = kerberos.yufuid.org \\填写kdc的服务器地址,我们的demo中kerberos和kdc安装在一台服务器上,填写此台服务器ip或者域名.
admin_server = kerberos.yufuid.org \\填写此台服务器ip或者域名
}
[domain_realm]
.yufuid.org = YUFUID.ORG \\ 标准写法,前方是后期需要接入kerberos认证资源的域名.例如: appservice1.yufuid.org需要通过 kerberos进行ssh认证.
yufuid.org = YUFUID.ORG
通过认证,测试mac端访问kerberos服务器端
通过iterm
Sam-MacBook-Air:~ Sam$ kinit nanzhang
nanzhang@YUFUID.ORG's password:
Sam-MacBook-Air:~ Sam$ klist
Credentials cache: API:4C347D78-DC4B-435E-B4EC-1372A0919F46
Principal: nanzhang@YUFUID.ORG
Issued Expires Principal
Jun 18 14:28:51 2019 Jun 19 14:28:46 2019 krbtgt/YUFUID.ORG@YUFUID.ORG