Kerberos操作指南
1.Kerberos常用命令
1.1. 登录管理KDC服务器,登录后台
kadmin.local
2. 查看用户列表
listprincs
3.修改帐号密码(可修改忘记密码)
[root@dounine ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: change_password admin/admin@EXAMPLE.COM Enter password for principal "admin/admin@EXAMPLE.COM": 123456 Re-enter password for principal "admin/admin@EXAMPLE.COM": 123456 Password for "admin/admin@EXAMPLE.COM" changed.
4.创建用户
[root@dounine ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: add_principal test1 WARNING: no policy specified for test1@EXAMPLE.COM; defaulting to no policy Enter password for principal "test1@EXAMPLE.COM": 123456 Re-enter password for principal "test1@EXAMPLE.COM": 123456 Principal "test1@EXAMPLE.COM" created.
5.删除用户
[root@dounine ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: delete_principal test1 Are you sure you want to delete the principal "test1@EXAMPLE.COM"? (yes/no): yes Principal "test1@EXAMPLE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing.
6. 只导出用户keytab文件(并且不要修改密码)
root@dounine ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: xst -k admin.keytab -norandkey admin/admin@EXAMPLE.COM Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des3-cbc-sha1 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type arcfour-hmac added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type camellia256-cts-cmac added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type camellia128-cts-cmac added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des-hmac-sha1 added to keytab WRFILE:admin.keytab. Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des-cbc-md5 added to keytab WRFILE:admin.keytab. kadmin.local: exit
7. 使用Keytab验证是否可以登录(无错误输出即可)
kinit -kt /etc/security/keytabs/admin.keytab admin/admin@EXAMPLE.COM
8.查看Keytab文件中的账号列表
[root@dounine ~]# klist -ket hbase.headless.keytab Keytab name: FILE:hbase.headless.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 7 2018-07-30T10:19:16 hbase-flink@demo.com (des-cbc-md5) 7 2018-07-30T10:19:16 hbase-flink@demo.com (aes128-cts-hmac-sha1-96) 7 2018-07-30T10:19:16 hbase-flink@demo.com (aes256-cts-hmac-sha1-96) 7 2018-07-30T10:19:16 hbase-flink@demo.com (des3-cbc-sha1) 7 2018-07-30T10:19:16 hbase-flink@demo.com (arcfour-hmac)
2. Kerberos 常用命令总结
# 进入kadmin kadmin.local / kadmin # 创建数据库 kdb5_util create -r JENKIN.COM -s # 启动kdc服务 service krb5kdc start # 启动kadmin服务 service kadmin start # 修改当前密码 kpasswd # 测试keytab可用性 / 通过keytab文件认证登录 kinit -kt /etc/security/keytabs/root.keytab root/cdh-master.hadoop.cn@HADOOP.CN # 查看keytab klist -e -k -t /etc/krb5.keytab # 清除缓存 kdestroy # kadmin 模式下 # 生成随机key的principal addprinc -randkey root/master.hadoop.cn@HADOOP.CN # 生成指定key的principal Addprinc -pw **** admin/admin@JENKIN.COM # 查看principal listprincs # 修改admin/admin的密码 cpw -pw xxxx admin/admin # 添加/删除principle addprinc/delprinc admin/admin # 直接生成到keytab ktadd -k /etc/krb5.keytab host/master1@JENKIN.COM # 设置密码策略(policy) addpol -maxlife "90 days" -minlife "75 days" -minlength 8 -minclasses 3 -maxfailure 10 -history 10 user # 添加带有密码策略的用户 addprinc -policy user hello/admin@HADOOP.COM # 修改用户的密码策略 modprinc -policy user1 hello/admin@HADOOP.COM # 删除密码策略 delpol [-force] user # 修改密码策略 modpol -maxlife "90 days" -minlife "75 days" -minlength 8 -minclasses 3 -maxfailure 10 user
3. 卸载 krb5-server
sudo yum remove krb5-server sudo yum remove krb5-libs sudo yum remove krb5-workstation rm -rf/var/kerberos/ rm/etc/krb5.conf rm -rf/usr/lib64/krb5
