快速搭建Kerberos服务端及入门使用
2024-06-08 03:24:11
快速搭建Kerberos服务端及入门使用
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
Kerberos是一种网络身份验证协议。它旨在通过使用秘密密钥加密为客户端/服务器应用程序提供强身份验证。麻省理工学院可以免费实施该协议。Kerberos也可用于许多商业产品。
尽管有许多配置参数和设置,但配置一个受Kerberos管理的Hadoop集群还是相当简单的。只要清楚地了解在前面部分中介绍的Kerberos概念,就可以自信地使用Kerberos来保护集群。
总之,Kerberos是解决您的网络安全问题的解决方案。它通过网络提供身份验证和强大加密工具,帮助您保护整个企业的信息系统。kerberos的官方地址:http://web.mit.edu/kerberos/。
一.搭建Kerberos服务器(node101.yinzhengjie.org.cn)
博主推荐阅读:Kerberos的发布页面:https://kerberos.org/dist/index.htmlKerberos的官方文档:http://web.mit.edu/kerberos/krb5-1.17/doc/index.htmlOracle相关的Kerberos文档:https://docs.oracle.com/cd/E26926_01/html/E25889/intro-1.html#scrolltoc我们可以从MIT网站上下载最新版本的Kerberos,发布日期为:2019-01-08,即krb5-1.17.tar.gz。下载下来解压后可以使用编译方式安装,我们这里为了方便操作,就直接使用yum方式安装,一步到位,怎么简单怎么来~要配置Kerberos身份进行验证,就必须先安装和配置Kerberos。此配置需要在使用Kerberos调整Hadoop集群配置前完成。首先安装Kerberos软件,这意味着在一个集群节点上安装KDC。然后,在所有集群节点上安装Kerberos客户端。配置Kerberos意味着配置KDC管理的各个方面,ticket的生命周期等。在此过程中,可以创建域,用户和服务主体,并开始为Kerberos身份验证调整集群配置。主节点上安装Kerberos的步骤如下所示:
1>.安装KDC 服务器
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-lib krb5-workstation Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile* base: mirrors.aliyun.com* extras: mirrors.aliyun.com* updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 mysql-connectors-community | 2.5 kB 00:00:00 mysql-tools-community | 2.5 kB 00:00:00 mysql56-community | 2.5 kB 00:00:00 updates | 3.4 kB 00:00:00 zabbix | 2.9 kB 00:00:00 zabbix-non-supported | 951 B 00:00:00 mysql-connectors-community/x86_64/primary_db | 41 kB 00:00:00 No package krb5-lib available. Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.15.1-37.el7_6 will be installed --> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_6 for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5srv_mit.so.11(kadm5srv_mit_11_MIT)(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-37.el7_6.x86_64 mysql-connectors-community/x86_64/filelists_db | 54 kB 00:00:00 mysql-tools-community/x86_64/filelists_db | 158 kB 00:00:00 mysql56-community/x86_64/filelists_db | 732 kB 00:00:01 zabbix/x86_64/filelists_db | 46 kB 00:00:00 zabbix-non-supported/x86_64/filelists | 660 B 00:00:00 --> Processing Dependency: libkadm5srv_mit.so.11()(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11()(64bit) for package: krb5-server-1.15.1-37.el7_6.x86_64 ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Running transaction check ---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated ---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update ---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed ---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed ---> Package words.noarch 0:3.0-22.el7 will be installed --> Finished Dependency ResolutionDependencies Resolved============================================================================================================================================================================================Package Arch Version Repository Size ============================================================================================================================================================================================ Installing:krb5-server x86_64 1.15.1-37.el7_6 updates 1.0 Mkrb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Installing for dependencies:libkadm5 x86_64 1.15.1-37.el7_6 updates 178 klibverto-libevent x86_64 0.2.5-4.el7 base 8.9 kwords noarch 3.0-22.el7 base 1.4 M Updating for dependencies:krb5-libs x86_64 1.15.1-37.el7_6 updates 803 kTransaction Summary ============================================================================================================================================================================================ Install 2 Packages (+3 Dependent packages) Upgrade ( 1 Dependent package)Total download size: 4.2 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/6): krb5-libs-1.15.1-37.el7_6.x86_64.rpm | 803 kB 00:00:00 (2/6): krb5-server-1.15.1-37.el7_6.x86_64.rpm | 1.0 MB 00:00:01 (3/6): libkadm5-1.15.1-37.el7_6.x86_64.rpm | 178 kB 00:00:00 (4/6): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 (5/6): libverto-libevent-0.2.5-4.el7.x86_64.rpm | 8.9 kB 00:00:00 (6/6): words-3.0-22.el7.noarch.rpm | 1.4 MB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.4 MB/s | 4.2 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transactionUpdating : krb5-libs-1.15.1-37.el7_6.x86_64 1/7 Installing : libkadm5-1.15.1-37.el7_6.x86_64 2/7 Installing : words-3.0-22.el7.noarch 3/7 Installing : libverto-libevent-0.2.5-4.el7.x86_64 4/7 Installing : krb5-server-1.15.1-37.el7_6.x86_64 5/7 Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 6/7 Cleanup : krb5-libs-1.15.1-34.el7.x86_64 7/7 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/7 Verifying : krb5-libs-1.15.1-37.el7_6.x86_64 2/7 Verifying : libkadm5-1.15.1-37.el7_6.x86_64 3/7 Verifying : libverto-libevent-0.2.5-4.el7.x86_64 4/7 Verifying : krb5-server-1.15.1-37.el7_6.x86_64 5/7 Verifying : words-3.0-22.el7.noarch 6/7 Verifying : krb5-libs-1.15.1-34.el7.x86_64 7/7 Installed:krb5-server.x86_64 0:1.15.1-37.el7_6 krb5-workstation.x86_64 0:1.15.1-37.el7_6 Dependency Installed:libkadm5.x86_64 0:1.15.1-37.el7_6 libverto-libevent.x86_64 0:0.2.5-4.el7 words.noarch 0:3.0-22.el7 Dependency Updated:krb5-libs.x86_64 0:1.15.1-37.el7_6 Complete! [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install krb5-server krb5-lib krb5-workstation
2>.修改KDC的配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88[realms]
YINZHENGJIE.COM = {master_key_type = aes256-ctsacl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/wordsadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabsupported_enctypes = aes256-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
[root@node101.yinzhengjie.org.cn ~]# 以上参数说明:
[kdcdefaults] 该部分包含在此文件中列出的所有通用的配置。kdc_ports :指定KDC的默认端口。kdc_tcp_ports :指定KDC的TCP协议默认端口。[realms] 该部分列出每个领域的配置。YINZHENGJIE.COM : 是设定的 realms。名字随意,推荐为大写!,但须与/etc/krb5.conf保持一致。Kerberos 可以支持多个 realms,会增加复杂度。大小写敏感。master_key_type : 默认为禁用,但如果需要256为加密,则可以下载Java加密扩展(JCE)并安装。禁用此参数时,默认使用128位加密。acl_file : 标注了 admin 的用户权限的文件,若文件不存在,需要用户自己创建。即该参数允许为具有对Kerberos数据库的管理访问权限的UPN指定ACL。supported_enctypes : 指定此KDC支持的各种加密类型。admin_keytab : KDC 进行校验的 keytab。 max_life : 该参数指定如果指定为2天。这是票据的最长存活时间。 max_renewable_life : 该参数指定在多长时间内可重获取票据。 dict_file : 该参数指向包含潜在可猜测或可破解密码的文件。 3>.配置KDC服务的权限管理文件
[root@node101.yinzhengjie.org.cn ~]# cat /var/kerberos/krb5kdc/kadm5.acl #我们指定*/admin@YINZHENGJIE.COM用户为管理员用户!拥有全部权限,注意这个通配符“*”,你懂的。 */admin@YINZHENGJIE.COM * [root@node101.yinzhengjie.org.cn ~]# 以上参数说明:上述参数只有两列,第一列为用户名,第二列为权限分配。文件格式是:Kerberos_principal permissions [target_principal] [restrictions],下面是对上面的文件编写参数说明。*/admin@YINZHENGJIE.COM :表示以"/admin@YINZHENGJIE.COM"结尾的用户。* :表示UNP可以执行任何操作,因为权限为所有权限,因此第二个“*”和第一个“*”区别希望大家一定要弄明白哟~
4.修改Kerberos的配置文件信息(包含KDC的位置,Kerberos的admin的realms 等。需要所有使用的Kerberos的机器上的配置文件都同步。)
[root@node101.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]dns_lookup_realm = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = truerdns = falsepkinit_anchors = /etc/pki/tls/certs/ca-bundle.crtdefault_realm = YINZHENGJIE.COM#default_ccache_name = KEYRING:persistent:%{uid}[realms]YINZHENGJIE.COM = {kdc = node101.yinzhengjie.org.cn:88admin_server = node101.yinzhengjie.org.cn:749default_domain = YINZHENGJIE.COM}[domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM[kdc]profile = /var/kerberos/krb5kdc/kdc.conf
[root@node101.yinzhengjie.org.cn ~]# 以上相关配置参数说明:
[logging]:Kerberos守护进程的日志记录方式。换句话说,表示 server 端的日志的打印位置。default :默认的krb5libs.log日志文件存放路径kdc :默认的krb5kdc.log日志文件存放路径admin_server :默认的kadmind.log日志文件存放路径[libdefaults]:Kerberos使用的默认值,当进行身份验证而未指定Kerberos域时,则使用default_realm参数指定的Kerberos域。即每种连接的默认配置,需要注意以下几个关键的配置:dns_lookup_realm :DNS查找域名,我们可以理解为DNS的正向解析,该功能我没有去验证过,默认禁用。(我猜测该功能和domain_realm配置有关)ticket_lifetime :凭证生效的时限,设置为7天。rdns :我理解是和dns_lookup_realm相反,即反向解析技术,该功能我也没有去验证过,默认禁用即可。(我猜测该功能和domain_realm配置有关)pkinit_anchors :在KDC中配置pkinit的位置,该参数的具体功能我没有做进一步验证。default_realm = YINZHENGJIE.COM :设置 Kerberos 应用程序的默认领域。如果您有多个领域,只需向 [realms] 节添加其他的语句。其中YINZHENGJIE.COM可以为任意名字,推荐为大写。必须跟要配置的realm的名称一致。default_ccache_name: :顾名思义,默认的缓存名称,不推荐使用该参数。renew_lifetime :凭证最长可以被延期的时限,一般为7天。当凭证过期之后,对安全认证的服务的后续访问则会失败。forwardable :如果此参数被设置为true,则可以转发票据,这意味着如果具有TGT的用户登陆到远程系统,则KDC可以颁发新的TGT,而不需要用户再次进行身份验证。renewable :是否允许票据延迟[realms]:域特定的信息,例如域的Kerberos服务器的位置。可能有几个,每个域一个。可以为KDC和管理服务器指定一个端口。如果没有配置,则KDC使用端口88,管理服务器使用749。即列举使用的 realm域。kdc :代表要KDC的位置。格式是 机器:端口admin_server :代表admin的位置。格式是 机器:端口default_domain :顾名思义,指定默认的域名。[domain_realm]:指定DNS域名和Kerberos域名之间映射关系。指定服务器的FQDN,对应的domain_realm值决定了主机所属的域。[kdc]:kdc的配置信息。即指定kdc.conf的位置。profile :kdc的配置文件路径,默认值下若无文件则需要创建。
5>.初始化KDC数据库
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s #注意,-s选项指定将数据库的主节点密钥存储在文件中,从而可以在每次启动KDC时自动重新生成主节点密钥。记住主密钥,稍后回使用。 Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: #这里需要输入一个管理KDC服务器的密码!千万别忘记了,忘记的话你就只能重新初始化KDC数据库啦!(如果遇到数据库已经存在的提示,可以把/var/kerberos/krb5kdc/目录下的principal的相关文件都删除掉。默认的数据库名字都是principal。可以使用-d指定数据库名字。) Re-enter KDC database master key to verify: [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File exists while creating database '/var/kerberos/krb5kdc/principal' [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# rm -f /var/kerberos/krb5kdc/principal* [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kdb5_util create -r YINZHENGJIE.COM -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: [root@node101.yinzhengjie.org.cn ~]#
kdb5_util: Cannot open DB2 database '/var/kerberos/krb5kdc/principal': File exists while creating database '/var/kerberos/krb5kdc/principal' #此故障已解决
[root@node101.yinzhengjie.org.cn ~]# ll -a /var/kerberos/krb5kdc/ #当我们创建Kerberos数据库成功后,默认会在该目录下创建以下5个文件,我用粉色的颜色标记出来啦~ total 36 drwxr-xr-x 2 root root 4096 May 30 16:26 . drwxr-xr-x. 4 root root 4096 May 30 16:20 .. -rw------- 1 root root 80 May 30 16:26 .k5.YINZHENGJIE.COM #存储文件k5.YINZHENGJIE.COM,它默认是隐藏文件哟~ -rw------- 1 root root 26 May 30 16:25 kadm5.acl #定义管理员权限的配置文件 -rw------- 1 root root 422 May 30 16:25 kdc.conf #KDC的主配置文件 -rw------- 1 root root 8192 May 30 16:26 principal #Kerberos数据库文件 -rw------- 1 root root 8192 May 30 16:26 principal.kadm5 #Kerberos数据库管理文件 -rw------- 1 root root 0 May 30 16:26 principal.kadm5.lock #数据库锁管理文件 -rw------- 1 root root 0 May 30 16:26 principal.ok #Kerberos数据库文件 [root@node101.yinzhengjie.org.cn ~]#
6>.启动KDC服务器
[root@node101.yinzhengjie.org.cn ~]# systemctl enable krb5kdc Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl status krb5kdc ● krb5kdc.service - Kerberos 5 KDCLoaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)Active: active (running) since Tue 2019-04-30 17:37:38 CST; 1s agoProcess: 5292 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)Main PID: 5293 (krb5kdc)CGroup: /system.slice/krb5kdc.service└─5293 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pidApr 30 17:37:38 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 KDC... Apr 30 17:37:38 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 KDC. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start krb5kdc
7>.启动Kerberos服务器
[root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin ● kadmin.service - Kerberos 5 Password-changing and AdministrationLoaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled)Active: inactive (dead) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl enable kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# systemctl status kadmin ● kadmin.service - Kerberos 5 Password-changing and AdministrationLoaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled)Active: active (running) since Tue 2019-04-30 17:40:13 CST; 2s agoProcess: 5361 ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS (code=exited, status=0/SUCCESS)Main PID: 5363 (kadmind)CGroup: /system.slice/kadmin.service└─5363 /usr/sbin/kadmind -P /var/run/kadmind.pidApr 30 17:40:13 node101.yinzhengjie.org.cn systemd[1]: Starting Kerberos 5 Password-changing and Administration... Apr 30 17:40:13 node101.yinzhengjie.org.cn systemd[1]: Started Kerberos 5 Password-changing and Administration. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# systemctl start kadmin
8>.KDC 服务器上添加超级管理员账户
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: addprinc root/admin #我们为KDC添加一个管理员用户,关于管理员规则我们以及在"/var/kerberos/krb5kdc/kadm5.acl"中定义的。细心的小伙伴发现,我们写的是"root/admin",但是创建用户却显示的是"root@admin@YINZHENGJIE.COM" WARNING: no policy specified for root/admin@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "root/admin@YINZHENGJIE.COM": Re-enter password for principal "root/admin@YINZHENGJIE.COM": Principal "root/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/admin@YINZHENGJIE.COM kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]#
二.搭建Kerberos客户端环境
1>.客户端安装
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-lib krb5-workstation Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile* base: mirrors.aliyun.com* extras: mirrors.aliyun.com* updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 zabbix | 2.9 kB 00:00:00 zabbix-non-supported | 951 B 00:00:00 No package krb5-lib available. Resolving Dependencies --> Running transaction check ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_6 for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5srv_mit.so.11(kadm5srv_mit_11_MIT)(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11(kadm5clnt_mit_11_MIT)(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5srv_mit.so.11()(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libkadm5clnt_mit.so.11()(64bit) for package: krb5-workstation-1.15.1-37.el7_6.x86_64 --> Running transaction check ---> Package krb5-libs.x86_64 0:1.15.1-34.el7 will be updated ---> Package krb5-libs.x86_64 0:1.15.1-37.el7_6 will be an update ---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed --> Finished Dependency ResolutionDependencies Resolved============================================================================================================================================================================================Package Arch Version Repository Size ============================================================================================================================================================================================ Installing:krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Installing for dependencies:libkadm5 x86_64 1.15.1-37.el7_6 updates 178 k Updating for dependencies:krb5-libs x86_64 1.15.1-37.el7_6 updates 803 kTransaction Summary ============================================================================================================================================================================================ Install 1 Package (+1 Dependent package) Upgrade ( 1 Dependent package)Total download size: 1.8 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/3): krb5-libs-1.15.1-37.el7_6.x86_64.rpm | 803 kB 00:00:00 (2/3): libkadm5-1.15.1-37.el7_6.x86_64.rpm | 178 kB 00:00:00 (3/3): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.1 MB/s | 1.8 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transactionUpdating : krb5-libs-1.15.1-37.el7_6.x86_64 1/4 Installing : libkadm5-1.15.1-37.el7_6.x86_64 2/4 Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 3/4 Cleanup : krb5-libs-1.15.1-34.el7.x86_64 4/4 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/4 Verifying : krb5-libs-1.15.1-37.el7_6.x86_64 2/4 Verifying : libkadm5-1.15.1-37.el7_6.x86_64 3/4 Verifying : krb5-libs-1.15.1-34.el7.x86_64 4/4 Installed:krb5-workstation.x86_64 0:1.15.1-37.el7_6 Dependency Installed:libkadm5.x86_64 0:1.15.1-37.el7_6 Dependency Updated:krb5-libs.x86_64 0:1.15.1-37.el7_6 Complete! [root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# yum install -y krb5-lib krb5-workstation
2>.将服务端的配置文件拷贝到客户端上
[root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/
krb5.conf 100% 711 2.2MB/s 00:00
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ssh node103.yinzhengjie.org.cn
Last login: Tue Apr 30 17:44:57 2019 from 172.30.1.2
[root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]dns_lookup_realm = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = truerdns = falsepkinit_anchors = /etc/pki/tls/certs/ca-bundle.crtdefault_realm = YINZHENGJIE.COM#default_ccache_name = KEYRING:persistent:%{uid}[realms]YINZHENGJIE.COM = {kdc = node101.yinzhengjie.org.cn:88admin_server = node101.yinzhengjie.org.cn:749default_domain = YINZHENGJIE.COM}[domain_realm]
.yinzhengjie.com = YINZHENGJIE.COM
yinzhengjie.com = YINZHENGJIE.COM
[root@node103.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# scp /etc/krb5.conf node103.yinzhengjie.org.cn:/etc/
3>. 客户端配置文件和服务段同步后,进行登陆,验证是否可以成功登陆
[root@node103.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# kinit root/admin #我们在当前终端使用root/admin@YINZHENGJIE.COM用户登陆成功啦! Password for root/admin@YINZHENGJIE.COM: [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root/admin@YINZHENGJIE.COMValid starting Expires Service principal 04/30/2019 18:29:43 05/01/2019 18:29:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]#
三.Kerberos 一些基本操作命令
1>.使用kadmin.local命令进入本地管理员模式
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: ? #输入“?”可以查看命令列表,如下所示所示。 Available kadmin.local requests:add_principal, addprinc, ankAdd principal delete_principal, delprincDelete principal modify_principal, modprincModify principal rename_principal, renprincRename principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincsList principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpolsList policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock purgekeys Purge previously retained old keys from a principal get_strings, getstrs Show string attributes on a principal set_string, setstr Set a string attribute on a principal del_string, delstr Delete a string attribute on a principal list_requests, lr, ? List available requests. quit, exit, q Exit program. kadmin.local:
2>. 查看已经存在的凭据
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
kadmin.local: listprincs
3>.创建凭据
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: addprinc -randkey hdfs/node101.yinzhengjie.org.cn WARNING: no policy specified for hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy Principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
kadmin.local: addprinc -randkey hdfs/node101.yinzhengjie.org.cn #生成随机key的凭据
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/master@YINZHENGJIE.COM kadmin.local: kadmin.local: addprinc -pw 123456 jason/admin WARNING: no policy specified for jason/admin@YINZHENGJIE.COM; defaulting to no policy Principal "jason/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM jason/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/master@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit jason/admin Password for jason/admin@YINZHENGJIE.COM: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: jason/admin@YINZHENGJIE.COMValid starting Expires Service principal 05/07/2019 16:28:35 05/08/2019 16:28:35 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
kadmin.local: addprinc -pw 123456 jason/admin #生成指定key的凭据
4>.删除凭据
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: delprinc hdfs/node101.yinzhengjie.org.cn Are you sure you want to delete the principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM"? (yes/no): yes Principal "hdfs/node101.yinzhengjie.org.cn@YINZHENGJIE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
kadmin.local: delprinc hdfs/node101.yinzhengjie.org.cn
5>.导出某个用户的keytab证书(使用xst命令或者ktadd命令)
kadmin.local: addprinc -randkey hdfs/node103.yinzhengjie.org.cn WARNING: no policy specified for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy Principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab. kadmin.local:
kadmin.local: ktadd -k /root/node103.keytab
kadmin.local: xst -k /root/node103.keytab-v2 hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab-v2. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 5, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab-v2. kadmin.local: kadmin.local:
kadmin.local: xst -k /root/node103.keytab-v2
[root@node101.yinzhengjie.org.cn ~]# pwd /root [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 8 -rw------- 1 root root 1376 May 5 16:05 node103.keytab -rw------- 1 root root 460 May 5 16:05 node103.keytab-v2 [root@node101.yinzhengjie.org.cn ~]#
kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: xst -norandkey -k /root/my.keytab hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal admin/admin@YINZHENGJIE.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/root/my.keytab. Entry for principal kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/root/my.keytab. kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw------- 1 root root 1286 May 7 16:17 my.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist -k -e -t my.keytab Keytab name: FILE:my.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 3 05/07/2019 16:17:18 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (des3-cbc-sha1) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (arcfour-hmac) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (des-hmac-sha1) 1 05/07/2019 16:17:18 admin/admin@YINZHENGJIE.COM (des-cbc-md5) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 1 05/07/2019 16:17:18 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
kadmin.local: xst -norandkey -k /root/my.keytab hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM #将多个principal生产一个keytab
6>.查看当前客户端认真用户
[root@node103.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@YINZHENGJIE.COMValid starting Expires Service principal 04/30/2019 18:29:43 05/01/2019 18:29:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# klist
7>.删除当前的认证的缓存
[root@node103.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@YINZHENGJIE.COMValid starting Expires Service principal 04/30/2019 18:29:43 05/01/2019 18:29:43 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# kdestroy [root@node103.yinzhengjie.org.cn ~]# [root@node103.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node103.yinzhengjie.org.cn ~]#
[root@node103.yinzhengjie.org.cn ~]# kdestroy
8>.认证用户
kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: addprinc hdfs/node103.yinzhengjie.org.cn WARNING: no policy specified for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Re-enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admin/admin@YINZHENGJIE.COM hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local:
kadmin.local: addprinc hdfs/node103.yinzhengjie.org.cn #创建凭据
kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab. kadmin.local: kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw------- 1 root root 460 May 5 16:13 node103.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
kadmin.local: ktadd -k /root/node103.keytab hdfs/node103.yinzhengjie.org.cn #导出密钥
[root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 4 -rw------- 1 root root 460 May 5 16:13 node103.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit -kt node103.keytab hdfs/node103.yinzhengjie.org.cn [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COMValid starting Expires Service principal 05/05/2019 16:17:19 05/06/2019 16:17:19 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit -kt node103.keytab hdfs/node103.yinzhengjie.org.cn #基于密钥的方式进行认证
[root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COMValid starting Expires Service principal 05/05/2019 16:17:19 05/06/2019 16:17:19 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kdestroy [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kdestroy #删除认证缓存
[root@node103.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: kinit: Password incorrect while getting initial credentials [root@node103.yinzhengjie.org.cn ~]# 遇到上述问题的解决方案(原因:每次生成秘钥文件时,密码可能会进行随机改变,添加"-norandkey"即可解决问题!) kadmin.local: ktadd -k /root/node103.keytab -norandkey hdfs/node103.yinzhengjie.org.cn Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/root/node103.keytab. Entry for principal hdfs/node103.yinzhengjie.org.cn with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/root/node103.keytab. kadmin.local:
kinit: Password incorrect while getting initial credentials #解决方案
[root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COMValid starting Expires Service principal 05/05/2019 17:36:30 05/06/2019 17:36:30 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kinit hdfs/node103.yinzhengjie.org.cn #基于密码的方式进行认证
9>.修改Kerberos用户的密码
[root@node101.yinzhengjie.org.cn ~]# kpasswd hdfs/node103.yinzhengjie.org.cn Password for hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM: #输入旧密码 Enter new password: #输入新密码,下面需要再次确认密码 Enter it again: Password changed. [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal hdfs/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: kadmin.local: change_password hdfs/node103.yinzhengjie.org.cn Enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Re-enter password for principal "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM": Password for "hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM" changed. kadmin.local:
kadmin.local: change_password hdfs/node103.yinzhengjie.org.cn #上面是基于命令行的方式修改,我们可以在KDC服务器的shell终端进行修改,而且不需要知道原始密码也可以修改哟!
10>.创建凭据并配置其设置密码
[root@node101.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: addprinc admim/admin #我们这里为KDC添加一个管理员用户 WARNING: no policy specified for admim/admin@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "admim/admin@YINZHENGJIE.COM": Re-enter password for principal "admim/admin@YINZHENGJIE.COM": Principal "admim/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: listprincs K/M@YINZHENGJIE.COM admim/admin@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: quit [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
kadmin.local: addprinc admim/admin #我们这里为KDC添加一个管理员用户
11>.获取凭据信息
kadmin.local: getprinc hdfs/node103.yinzhengjie.org.cn Principal: hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM Expiration date: [never] Last password change: Sun May 05 18:38:15 CST 2019 Password expiration date: [never] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Sun May 05 18:38:15 CST 2019 (hdfs/admin@YINZHENGJIE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 3, aes256-cts-hmac-sha1-96 Key: vno 3, des3-cbc-sha1 Key: vno 3, arcfour-hmac Key: vno 3, des-hmac-sha1 Key: vno 3, des-cbc-md5 MKey: vno 1 Attributes: Policy: [none] kadmin.local:
kadmin.local: getprinc hdfs/node103.yinzhengjie.org.cn
12>.查看keytab文件中的帐号列表
[root@node101.yinzhengjie.org.cn ~]# klist -ket node103.keytab Keytab name: FILE:node103.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (aes256-cts-hmac-sha1-96) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des3-cbc-sha1) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (arcfour-hmac) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-hmac-sha1) 1 05/05/2019 17:36:23 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM (des-cbc-md5) [root@node101.yinzhengjie.org.cn ~]#
13>.生成dump文件
[root@node101.yinzhengjie.org.cn ~]# ll total 0 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kdb5_util dump ./slava_data [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# ll total 12 -rw------- 1 root root 5640 May 7 16:10 slava_data -rw------- 1 root root 1 May 7 16:10 slava_data.dump_ok [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll total 12 -rw------- 1 root root 5640 May 7 16:10 slava_data -rw------- 1 root root 1 May 7 16:10 slava_data.dump_ok [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat slava_data.dump_ok [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat slava_data kdb5_util load_dump version 7 princ 38 19 3 1 0 K/M@YINZHENGJIE.COM 8388672 86400 0 0 0 0 0 0 8 2 0100 9 8 0100010000000000 2 32 2d23c85c64625f6372656174696f6e4059494e5a48454e474a49452e434f4d00 1 1 18 62 200027f351dbb024cc9544e87b02c87d86c7d80d0610ae4c59c340a69a04db0781b3d94b5611ed20eb9a5ec2b0dc7e1245fac0cdb87295e9180ef910bb5b -1; princ 38 27 4 5 0 admin/admin@YINZHENGJIE.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 31 6c23c85c726f6f742f61646d696e4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 6c23c85c 1 1 18 6220003deb4f098457d84e676bbd3f91278f3cac8306ddf328535c1917bf98690248bc12341cd0a27de4d590fb18f28cb0d226929a4a06a83d244f5a4cbdb5 1 1 16 54 1800715234ed6f50be5336e4369af0f9cefb9d4f177eda96090b7fbca4b8d3ff07964b2a318cf1a777f1e2e76fa206f2b44258457442 1 1 23 46 10004a33deeb70728102e822c55f2c42aa304e705780d8fd30b397275bbbebd3abedf187fffb2204855a09735e1b 1 1 8 38 08001a1fea4a829566f3f23f3cf3db9681920f891798ad5f8644fe5d5b3e1f4f94cd64280273 1 1 3 38 080046301a43121ee80bc1540d9662f9991322c8b5fb15b630033b1de23d587622bec8b0b966 -1; princ 38 47 4 5 0 hdfs/node103.yinzhengjie.org.cn@YINZHENGJIE.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 31 17bdce5c686466732f61646d696e4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 17bdce5c 1 3 18 62 2000a27914a2893faf324c36d41d92b2b6cc66de57349f76d4e24eb4d3344616b043d2e68124d2d0c6af19d900cabb13f58c4d7285b002a33944f305ed14 1 3 16 54 180060e43337a724ecfb60790d5d848dfd081c6ba721619b5262c73837ca04a6aa747dcbf861e145d2933107f267bbe8c96590d2b6bc 1 3 23 46 10009507be719a35300d09a6b197124a3bbba94f6ab14ce177b5783965e2d7ddef85c080b5b865e36893e623fe35 1 3 8 38 0800b0957be862834546dacdc5bd72e00553cdca26621570054fe2630d92f18d636ea12b59f9 1 3 3 380800f9ff7956e69506992b4dd15ca75cb5e6f8f2cf2a6ccf68829e060e4b2a1f9a4b397a2f75 -1; princ 38 28 4 5 0 kadmin/admin@YINZHENGJIE.COM 8388612 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 1 18 622000a7007154dab2d522e76038c0fb117c56444b59cb94cfd33d4e934e52e365bb0679f098877090409b41146ceb8f79f407eac9dbe16181fe5bff49e269 1 1 16 54 1800d36c14c38aca14fd2a9961c5f5d330f11a4afb3ccf91b1ef9f4325e285569ede24ec5b3213b3fd5095ba0851946d0e9286cd678d 1 1 23 46 10005947782c3a6209e40e533ea91de7a3c068af0e9753924f11b8293c77e2699d3521e53d82fe75844696f30781 1 1 8 38 080044457a47548115f25c4d6d521236b30820d6ee69633836a9e36142759562f52ed4300920 1 1 3 38 0800be6779e8afe4e3302a888b4f5dcfbe6922a20a47b8369336bf66a0f9d53a7f99ce34c3d5 -1; princ 38 31 4 5 0 kadmin/changepw@YINZHENGJIE.COM 8396804 300 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 1 18 622000a954e4ff1dcb31de049920a9fb621c387733892be4fc44326511037c316e81e704d241662b8d17f007411181a434d276012e232e012c48c2a25c0801 1 1 16 54 1800eb302773f9f77e7d4836a8494ad381a66f5dbf300d932d68dfcdcae2ac1522ad9083b779244aa009e15af3532c1057e1ba75e4a4 1 1 23 46 100062701165f26c72370374182c611eaff199e689884402b210808fdfc68185d5bdd8d2c948a0d7f6d386c5fb4a 1 1 8 38 08001b482af030d5f5c49d89e87e39fa350d54e48cb0e3c23c7688f02540592fcf0e7c34dbd7 1 1 3 38 0800968bd1d3bc8a1103da97fead74f72521bca682858e934a26f584cfcec006a74dfa931271 -1; princ 38 49 4 5 0 kadmin/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 8388612 10800 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 18 62 20000d1edbb71ba50cfb52191a3f60056b02c6b647b3bddd2365641b5ed274ce75e38226ac815ea7f29f34a3cf7d45457468882556994365aa4567ae8806 1 1 16 54 18002eaf1945ca01022fbb4395754f019d9e2266437dfd9c525f712f804e0f04d9d2bbdc033adb2bf6e361efb448ddfe2249e9fd748e 1 1 23 46 100013a087c5e95dcc5127979eb347681f58a972d31bbf5ec3e2397de453c076f3e1d4e27a05f29387bb3e7d6d8a 1 1 8 38 0800dde3aadd2c399091eb5d462d2ad7d29cb9be02047a80c9d94d2c7914f9595961ee49329c 1 1 3 38080006a3bb181af166f105beb9e78de8aeb55204d7f6aebb79c03d1bb321b59b6e007641479a -1; princ 38 49 4 5 0 kiprop/node101.yinzhengjie.org.cn@YINZHENGJIE.COM 0 86400 0 0 0 0 0 0 3 24 12345c010000000000000000000000000000000200000000 2 30 2d23c85c6b6462355f7574696c4059494e5a48454e474a49452e434f4d00 8 2 0100 1 4 2d23c85c 1 18 62 2000d426113b32e7b511f397fdcc7fafc9abc1ce6aada822d4352c2ea710476db41f731043c80dcf04eadd2a607273efa1a3c9b1a111c31b8483aa62d060 1 1 16 54 180055a62dfe305193d6d0833c897e62e4ea3a36bec996f11e66e4d9bf62d193f1bb1a80151b2e8e18fff121d1698a8d529624956adf 1 1 23 46 10004205e4b7b21c11bcaedfd6098ff08865d3f18260405c8bf2af9a8b5cb6bc80d871c957e4fce79eb786ed60bd 1 1 8 38 08004bc251b9b292174671b35654eef34bb63e6375f6f10766819f478e2d1760ece27fa05ec0 1 1 3 380800c71084e06b93c4c9b82d36a93f30fc51baf23b1071382d7ba70eab96d6048921ab43fe55 -1; princ 38 38 1 6 0 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM 8388608 86400 0 0 0 0 0 0 2 32 2d23c85c64625f6372656174696f6e4059494e5a48454e474a49452e434f4d00 1 1 18 62 2000debfa86947904982fc72598525375374abc4ea880a2a79c20a297cff937e0c6e034dfb5f48494f3f1cf035e117f85dc0062935c0bc0b799bbf4727e0 1 1 16 54 1800842c873c282cc64415704b50085258d6290d6f3ff101669996698fda83931039a90d963d7a786c796ea8e5c4a3d1b7a438086288 1 1 2346 1000cf38c0dbeaec907e938b966f4e8b56aa6c53c2d65ae6ce0977825d3f8cf3d1b536357491e691cd21a62b97e6 1 1 8 38 080034e54b49e6d927ef9b160c8ef72b7fb98fd12be022b441ddceb99294f86e7e8958a78de5 1 1 3 38 08004329becd13a3192dcbb6d48216071fc2d504bd109482b5d139b67b2d5247e9b3c228a06d 1 1 1 38 08005d5ced5cd08fbd6aa8666ffa1b42779c488cbe406734b71ac44117f779a63b0e46f907a7 -1; [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat slava_data
14>.
15>.
参考链接:
https://www.cnblogs.com/chwilliam85/p/9679845.html
https://blog.csdn.net/sinat_32176947/article/details/79605499
http://blog.sina.com.cn/s/blog_15d0521760102wxts.html
转载于:https://www.cnblogs.com/yinzhengjie/p/10765503.html
快速搭建Kerberos服务端及入门使用相关推荐
- 一文学会快速搭建Janus服务端
1.概述 想要了解Janus,首先需要知道WebRTC以及Janus和WebRTC之间的关系,本文将会对这些内容做简单的介绍,同时也会介绍一下Janus的架构,Janus可以实现的功能,并展示如何快速 ...
- nuxtjs+express+vue2+vuex搭建的服务端渲染(SSR)个人网站项目 1
5se7en.com nuxtjs+express+vue2.0+vuex搭建的服务端渲染个人网站项目. github项目地址: https://github.com/se7en-1992... 项目 ...
- 【LDAP】在Centos7环境搭建LDAP服务端
在Centos7环境搭建LDAP服务端 前言 正文 OpenLDAP介绍 LDIF文件书写规则 OpenLDAP部署 安装服务 配置ldap 修改管理员密码 初始化配置 直接修改配置文件(不建议) 使 ...
- Spring Boot如何在最短时间里快速搭建微服务框架,详细教程贡上
前言: Spring Boot是为了简化Spring应用的创建.运行.调试.部署等而出现的,使用它可以做到专注于Spring应用的开发,而无需过多关注XML的配置. 简单来说,它提供了一堆依赖打包,并 ...
- 大疆无人机基于自搭建RTMP服务端推流直播
思路 大疆在手机端提供了软件DJI GO 4控制飞行参数等,其中包含自定义RTMP接口来向第三方推流进行直播业务,而我们可以利用这种直播的思路来完成画面传输. 环境 精灵Phantom 4 Pro V ...
- react ssr 服务端渲染入门
react ssr 服务端渲染入门 前言 前后端同构,作为针对单页应用 SEO 优化乏力.首屏速度瓶颈等问题而产出的解决方案,近来在 react.vue 等前端技术栈中都得到了支持.当我们正打算抛弃传 ...
- Azure 中快速搭建 FTPS 服务
FTP,FTPS 与 SFTP 的区别 FTP (File Transfer Protocol)是一种常用的文件传输协议,在日常工作中被广泛应用.不过,FTP 协议使用明文传输.如果文件传输发生在公网 ...
- 阿里云ESC搭建SVN服务端
CentOS7)下yum命令快速安装svn服务端,学习在思考中独孤中度过,在孤独中进取! 01.SVN服务的安装(subversion) 02.ESC安全组策略 1.在线安装svn服务 $ sudo ...
- 服务端工程师入门与进阶 Java 版
前言 欢迎加入我们.这是一份针对实习生/毕业生的服务端开发入门与进阶指南.遇到问题及时问你的 mentor 或者直接问我. 建议: 尽量用google查找技术资料. 有问题在stackoverflow ...
最新文章
- iPhone App开发实战手册学习笔记(5)之IOS常用机制
- C++中运算符重载需要遵循的规则
- Android 之 Fagment 完全解析
- Linux_NFS/Samba服务器
- 时间序列预测之二:灰色模型
- django框架学习文档_Python四大主流网络编程框架,你知道么?
- 设计模式笔记-命令模式
- TypeScript 类(Classes)
- redis bio线程任务队列
- Powershell 查询SQL数据库资料
- C++面向对象的程序开发
- 三种Windows版本下教你如何卸载Oracle
- 卸载 Navicat!事实已证明,正版客户端,它更牛逼……
- 如何学习SAP系统并从事相关职业
- 高等数学(第七版)同济大学 习题8-1 个人解答
- STM32物联网实战教程(一)—ESP8266的AT指令集详解
- java 工作流开发框架比较
- 笔记本计算机被限制无法上网,电脑上网受限制或无法连接怎么办 电脑上网受限制或无法连接的解决方法...
- 4.15 期货每日早盘操作建议
- 乐观的态度使工作充满激情
热门文章
- ubuntu 15.10运行Xware-desktop失败问题
- 还记得《非诚勿扰》葛大爷的“分歧终端机”吗?迅雷链帮他实现了
- 南开大学20秋c语言程序设计,[南开大学]20秋学期《C语言程序设计》在线作业-2...
- win10 nuget 无法下载_随笔--博图V14仿真软件在1200项目中不能下载?
- Ubuntu20.04谷歌浏览器安装json格式化工具jsonviewer
- 关于PlatformIO开发 Arduino,自定义库的设置
- php libjpeg,Linux 安装php-5.2.17出现 libjpeg.(a|so) not found
- 二分类问题中的评估指标,附代码(超详细)
- [长文干货]MicroPython移植到野火STM32F429开发板
- DDD(领域驱动设计)系列主题:领域驱动设计(DDD)实践