Kerberos安装
Kerberos安装
0. 环境
1 台Centos7主机 部署 master KDC
2 台 Centos7主机 部署 Kerberos Client
1. Master主机安装Kerberos
yum install krb5-server krb5-libs krb5-workstation -y
1.1 配置kdc.conf
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]kdc_ports = 88kdc_tcp_ports = 88[realms]HADOOP.COM = {#master_key_type = aes256-ctsacl_file = /var/kerberos/krb5kdc/kadm5.acldict_file = /usr/share/dict/wordsadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabmax_renewable_life = 7dsupported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal}
说明:
HADOOP.COM:是设定的realms。名字随意。Kerberos可以支持多个realms,一般全用大写
master_key_type,supported_enctypes默认使用aes256-cts。由于,JAVA使用aes256-cts验证方式需要安装额外的jar包,这里暂不使用
acl_file:标注了admin的用户权限。文件格式是
Kerberos_principal permissions [target_principal] [restrictions]支持通配符等
admin_keytab:KDC进行校验的keytab
supported_enctypes:支持的校验方式。注意把aes256-cts去掉
1.2 配置krb5.conf
vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]default_realm = HADOOP.COMdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = trueclockskew = 120udp_preference_limit = 1
[realms]HADOOP.COM = {kdc = node-1admin_server = node-1}[domain_realm].hadoop.com = HADOOP.COMhadoop.com = HADOOP.COM
说明:
[logging]:表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
ticket_lifetime: 表明凭证生效的时限,一般为24小时。
renew_lifetime: 表明凭证最长可以被延期的时限,一般为一个礼拜。当凭证过期之后,对安全认证的服务的后续访问则会失败。
clockskew:时钟偏差是不完全符合主机系统时钟的票据时戳的容差,超过此容差将不接受此票据,单位是秒
1.3 初始化kerberos database
kdb5_util create -s -r HADOOP.COM
其中,[-s]表示生成stash file,并在其中存储master server key(krb5kdc);还可以用[-r]来指定一个realm name —— 当krb5.conf中定义了多个realm时才是必要的。
1.4 修改database administrator的ACL权限
vim /var/kerberos/krb5kdc/kadm5.acl
#修改如下
*/admin@HADOOP.COM *
kadm5.acl 文件更多内容可参考:kadm5.acl
想要管理 KDC 的资料库有两种方式, 一种直接在 KDC 本机上面直接执行,可以不需要密码就登入资料库管理;一种则是需要输入账号密码才能管理~这两种方式分别是:
kadmin.local:需要在 KDC server 上面操作,无需密码即可管理资料库
kadmin:可以在任何一台 KDC 领域的系统上面操作,但是需要输入管理员密码
1.5 启动kerberos daemons
systemctl start kadmin krb5kdc
systemctl enable kadmin krb5kdc
2. 在另外两台主机部署Kerberos Client
yum install krb5-workstation krb5-libs -y
#从master主机复制krb5.conf到这两台主机
scp /etc/krb5.conf node-2:/etc/krb5.conf
scp /etc/krb5.conf node-3:/etc/krb5.conf
3. kerberos的日常操作
先配置下root/admin密码
[root@node-1 ~]# kadmin.local
Authenticating as principal root/admin@HADOOP.COM with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@HADOOP.COM; defaulting to no policy
Enter password for principal "root/admin@HADOOP.COM":
Re-enter password for principal "root/admin@HADOOP.COM":
Principal "root/admin@HADOOP.COM" created.
kadmin.local: listprincs
K/M@HADOOP.COM
kadmin/admin@HADOOP.COM
kadmin/changepw@HADOOP.COM
kadmin/instance-ay8h77o0-1@HADOOP.COM
kiprop/instance-ay8h77o0-1@HADOOP.COM
krbtgt/HADOOP.COM@HADOOP.COM
root/admin@HADOOP.COM
kadmin.local: exit新加用户hd1:[root@node-3 ~]# kadmin
Authenticating as principal root/admin@HADOOP.COM with password.
Password for root/admin@HADOOP.COM:
kadmin: addprinc hd1
WARNING: no policy specified for hd1@HADOOP.COM; defaulting to no policy
Enter password for principal "hd1@HADOOP.COM":
Re-enter password for principal "hd1@HADOOP.COM":
Principal "hd1@HADOOP.COM" created.
kadmin: exit注:输入?,可以查看所有命令的用法kadmin.local: ?
Available kadmin.local requests:add_principal, addprinc, ankAdd principal
delete_principal, delprincDelete principal
modify_principal, modprincModify principal
rename_principal, renprincRename principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincsList principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
用hd1登录:[root@node-3 ~]# kinit hd1
Password for hd1@HADOOP.COM:
[root@node-3 ~]# klist
# 查看已授权列表
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd1@HADOOP.COMValid starting Expires Service principal
07/12/2018 17:27:32 07/13/2018 17:27:32 krbtgt/HADOOP.COM@HADOOP.COMrenew until 07/19/2018 17:27:32
删除当前的认证的缓存
[root@node-3 ~]# kdestroy
强制更新ticketkinit -R
使用keytab
生成keytabkadmin.local -q "xst -k keytab/hd1.keytab hd1@HADOOP.COM"
or
kadmin -q "xst -k keytab/hd1.keytab hd1@HADOOP.COM"
注意:生成keytab后,密码被修改了,无法再用之前输入密码登录了
如果想要密码不变,需要按照以下方式做,必须是kadmin.local[root@node-1 ~]# kadmin.local -q "xst -k keytab/hd6.keytab -norandkey hd6@HADOOP.COM"
否则[root@node-3 ~]# kadmin -q "xst -k keytab/hd6.keytab -norandkey hd6@HADOOP.COM"
Authenticating as principal root/admin@HADOOP.COM with password.
Password for root/admin@HADOOP.COM:
kadmin: Operation requires ``extract-keys'' privilege while changing hd6@HADOOP.COM's key[root@node-3 ~]# kinit hd1
Password for hd1@HADOOP.COM:
kinit: Password incorrect while getting initial credentials
登录[root@node-3 ~]# kinit -kt keytab/hd3.keytab hd3
[root@node-3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd3@HADOOP.COMValid starting Expires Service principal
07/12/2018 18:24:43 07/13/2018 18:24:43 krbtgt/HADOOP.COM@HADOOP.COMrenew until 07/19/2018 18:24:43
合并keytab文件[root@node-3 ~]# ktutil
ktutil: ?
Available ktutil requests:clear_list, clear Clear the current keylist.
read_kt, rkt Read a krb5 keytab into the current keylist.
read_st, rst Read a krb4 srvtab into the current keylist.
write_kt, wkt Write the current keylist to a krb5 keytab.
write_st, wst Write the current keylist to a krb4 srvtab.
add_entry, addent Add an entry to the current keylist.
delete_entry, delent Delete an entry from the current keylist.
list, l List the current keylist.
list_requests, lr, ? List available requests.
quit, exit, q Exit program.
ktutil: rkt keytab/hd2.keytab
ktutil: rkt keytab/hd3.keytab
ktutil: wkt keytab/hd23.keytab
ktutil: exit#使用合并后的keytab登录
[root@node-3 ~]# kinit -kt keytab/hd23.keytab hd3
[root@node-3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd3@HADOOP.COMValid starting Expires Service principal
07/12/2018 18:30:27 07/13/2018 18:30:27 krbtgt/HADOOP.COM@HADOOP.COMrenew until 07/19/2018 18:30:27
```clike
可以查看keytab文件内容[root@node-3 ~]# klist -ket keytab/hd23.keytab
Keytab name: FILE:keytab/hd23.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------2 07/12/2018 18:28:33 hd2@HADOOP.COM (aes128-cts-hmac-sha1-96) 2 07/12/2018 18:28:33 hd2@HADOOP.COM (des3-cbc-sha1) 2 07/12/2018 18:28:33 hd2@HADOOP.COM (arcfour-hmac) 2 07/12/2018 18:28:33 hd2@HADOOP.COM (camellia256-cts-cmac) 2 07/12/2018 18:28:33 hd2@HADOOP.COM (camellia128-cts-cmac) 2 07/12/2018 18:28:33 hd2@HADOOP.COM (des-hmac-sha1) 2 07/12/2018 18:28:33 hd2@HADOOP.COM (des-cbc-md5) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (aes128-cts-hmac-sha1-96) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (des3-cbc-sha1) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (arcfour-hmac) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (camellia256-cts-cmac) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (camellia128-cts-cmac) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (des-hmac-sha1) 2 07/12/2018 18:28:33 hd3@HADOOP.COM (des-cbc-md5)
Kerberos安装相关推荐
- kerberos安装配置、配置kerberos server、client、日常操作与常见问题、卸载kerberos、hive整合kerberos
3.3.安装配置 安装kerberos前,要确保主机名可以被解析. 主机名 内网IP 角色 bigdata1 192.168.106.134 master KDC ,kerberos client b ...
- kerberos安装配置与使用
文章目录 1.Kerberos协议: 2.安装 2.1 安装kerberos前,要确保主机名可以被解析. 2.2 确保环境可用 2.3 KDC的主机 2.3.2 配置`kdc.conf` 2.3.3 ...
- Kerberos安装及拖管Ambari 2.7
安装Kerberos 在centos7下安装kerberos yum安装kerberos yum install krb5-libs krb5-server krb5-workstation 配置ho ...
- Kerberos安装及使用3(Kerberos基本管理实践)
目录 1 案例目标 2 环境要求 3 案例流程 4 案例实践 5 案例解析 6 案例总结 1 案例目标 掌握Kerberos管理员的基本操作命令 2 环境要求 已安装了KDC服务端 拥有管理员主体 3 ...
- Kerberos安装以及使用ambari开启HDP集群Kerberos认证
文章目录 环境准备 安装KDC MASTER 安装KDC SLAVER 安装客户端: 使用ambari 环境准备 安装jdk 下载Cryptography Extension (JCE) Unlimi ...
- 安装kerberos报错 error: command 'gcc' failed with exit status 1
pip install kerberos 报错:error: command 'gcc' failed with exit status 1 安装环境工具 yum install gcc libffi ...
- Storm集群安装Version1.0.1开启Kerberos
Storm集群安装,基于版本1.0.1, 同时开启Kerberos安全认证, 使用apache-storm-1.0.1.tar.gz安装包. 1.安装规划 角色规划 IP/机器名 安装软件 运行进程 ...
- kerberos mysql配置_CDH安装之篇四:启用Kerberos认证
启用Kerberos认证 • 安装Kerberos • 安装配置master KDC/Kerberos Server 注:Kerberos Server可以是任意一 ...
- kerberos-05.windows安装mit kerberos并认证
1.官网下载安装kerberos 2. 拿到服务器krb5.conf配置文件,在windows下要改名为krb5.ini,并且删除部分有Linux路径的配置,如红框内的需要删除 3. 配置环境变量 根 ...
最新文章
- Odoo之Field
- 怎么用python自动注册_python selenium自动化(二)自动化注册流程
- 飞天技术汇“2018云栖大会·上海峰会”专场,等你加入
- c++语言标准 pdf,C++14标准.pdf
- 封装cookie设置和获取的简易方法
- Junit3.8源码--核心类
- java mail报权限问题
- OpenCV 文字绘制——cv::putText详解
- pic16f616单片机C语言编程,PIC16F616型单片机介绍
- 不用在PLC内编程,快速实现西门子与欧姆龙、三菱等品牌的PLC之间实时通讯
- [oracle]Oracle 11g DG搭建(备库使用ASM)
- 本地搭建电影网站:安装部署MacCMS10 2/3
- 我的世界神奇宝贝服务器怎么修改6v,我的世界神奇宝贝mod修改精灵6V满努力等级图文教程...
- win用html设置桌面,教你设置Win10系统炫酷桌面的三个技巧
- 阿里西西网页特效代码演示中心-QQ在线客服代码演示
- 二十年后的家乡(小学习作)
- 汽车修理厂计算机管理,最新汽车维修厂管理系统
- 好书分享--习惯的力量
- zcmu1064: 计算旅途时间
- Win32如何定义IP数据报的首部