kerberos部署配置

环境

  • OS: Rocky Linux 9.4
  • Hostname: ozone.example.com

部署

dnf install krb5-server krb5-workstation -y

配置

  1. /etc/krb5.conf
includedir /etc/krb5.conf.d/

# 记录kerberos库、kdc、kadmin日志
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

# 整个kerberos组件相关的默认配置
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
dns_canonicalize_hostname = false
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
qualify_shortname = ""
default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}

# 配置realm中kdc、kadmin对应的host地址
[realms]
EXAMPLE.COM = {
  kdc = ozone.example.com
    admin_server = ozone.example.com
}

# 域名或host映射的realm
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
  1. /var/kerberos/krb5kdc/kdc.conf
# kdc是整个Kerberos网络的核心,它存储了所有principal的账号数据,
# 并对principal的请求,进行认证,与Principal之间的访问票据分发。

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
spake_preauth_kdc_challenge = edwards25519

# 该kdc管理的realm的相关配置
[realms]
EXAMPLE.COM = {
  master_key_type = aes256-cts-hmac-sha384-192
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    default_principal_flags = +preauth
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
    # Supported encryption types for FIPS mode:
    #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
}
  1. /var/kerberos/krb5kdc/kadm5.acl
# 拥有管理kdc的数据库权限的名单
*/admin@EXAMPLE.COM *

初始化

# 创建kdc数据库
[root@ozone ~]# kdb5_util create -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

# 数据存储在/var/kerberos/krb5kdc/principal文件中
[root@ozone ~]# cd /var/kerberos/krb5kdc/
[root@ozone krb5kdc]# ls
kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok
[root@ozone krb5kdc]#

添加管理账户

[root@ozone krb5kdc]# kadmin.local addprinc root/admin@EXAMPLE.COM
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
[root@ozone krb5kdc]#

启动服务

# 启动kdc服务
systemctl start krb5kdc
# 启动kadmin服务
systemctl start kadmin
# 配置开机服务自启
systemctl enable krb5kdc
systemctl enable kadmin

添加主体

[root@ozone ~]# kadmin.local -q "addprinc -randkey scm/scm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for scm/scm@EXAMPLE.COM; defaulting to no policy
Principal "scm/scm@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey om/om@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for om/om@EXAMPLE.COM; defaulting to no policy
Principal "om/om@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey dn/dn@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for dn/dn@EXAMPLE.COM; defaulting to no policy
Principal "dn/dn@EXAMPLE.COM" created.
[root@ozone ~]# kadmin.local -q "addprinc -randkey s3g/s3g@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
No policy specified for s3g/s3g@EXAMPLE.COM; defaulting to no policy
Principal "s3g/s3g@EXAMPLE.COM" created.
[root@ozone ~]#

生成keytab

[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/om.service.keytab om/om@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
Entry for principal om/om@EXAMPLE.COM with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/om.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/scm.service.keytab scm/scm@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
Entry for principal scm/scm@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/scm.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/dn.service.keytab dn/dn@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
Entry for principal dn/dn@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/dn.service.keytab.
[root@ozone ~]# kadmin.local -q "ktadd -k /etc/security/keytabs/s3g.service.keytab s3g/s3g@EXAMPLE.COM"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
Entry for principal s3g/s3g@EXAMPLE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytabs/s3g.service.keytab.
[root@ozone ~]#

客户端

  1. 安装客户端软件
dnf install krb5-workstation
  1. 拷贝配置/etc/krb5.conf

kadmin和kadmin.local的区别

  • kadmin 是通过访问kadmin server进程,来实现对Kdc中的principal进行管理;
  • kadmin.local是在kdc所在的服务器上,直接访问kdc的数据库,它不依赖kadmin server,只要kdc数据库创建后,即可进行操作。
posted @ 2024-12-02 15:03  longtds  阅读(3)  评论(0编辑  收藏  举报