kerberos-ldap linux账户集中管理认证
#part1 install and config kerberos
yum -y install krb5-server
vi /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = cenvm01.example.com
admin_server = cenvm01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[root@cenvm01 ~]# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
[root@cenvm01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
[root@cenvm01 ~]# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@cenvm01 ~]#
systemctl enable kadmin
systemctl enable krb5kdc
systemctl start kadmin
systemctl start krb5kdc
systemctl status kadmin
systemctl status krb5kdc
firewall-cmd --get-services | grep kerberos --color
firewall-cmd --permanent --add-service kerberos
firewall-cmd --reload
#add client set
[root@cenvm01 ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc -randkey host/cenvm02.example.com
WARNING: no policy specified for host/cenvm02.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/cenvm02.example.com@EXAMPLE.COM" created.
kadmin.local: addprinc -randkey host/cenvm03.example.com
WARNING: no policy specified for host/cenvm03.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/cenvm03.example.com@EXAMPLE.COM" created.
kadmin.local: ktadd -k /tmp/cenvm02.keytab host/cenvm02.example.com
Entry for principal host/cenvm02.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/cenvm02.keytab.
Entry for principal host/cenvm02.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/cenvm02.keytab.
kadmin.local: ktadd -k /tmp/cenvm03.keytab host/cenvm03.example.com
Entry for principal host/cenvm03.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/cenvm03.keytab.
Entry for principal host/cenvm03.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/cenvm03.keytab.
kadmin.local: listprincs
K/M@EXAMPLE.COM
host/cenvm02.example.com@EXAMPLE.COM
host/cenvm03.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/cenvm01@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kiprop/cenvm01@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: quit
[root@cenvm01 ~]#
scp /tmp/cenvm02.keytab cenvm02:/tmp/
scp /etc/krb5.conf cenvm02:/tmp/
scp /tmp/cenvm03.keytab cenvm03:/tmp/
scp /etc/krb5.conf cenvm03:/tmp/
#add cenvm02 client
cenvm02:
yum -y install pam_krb5 krb5-workstation
\cp /tmp/krb5.conf /etc/krb5.conf
[root@cenvm02 ~]# ktutil
ktutil: rkt /tmp/cenvm02.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/cenvm02.example.com@EXAMPLE.COM
2 2 host/cenvm02.example.com@EXAMPLE.COM
3 2 host/cenvm02.example.com@EXAMPLE.COM
4 2 host/cenvm02.example.com@EXAMPLE.COM
5 2 host/cenvm02.example.com@EXAMPLE.COM
6 2 host/cenvm02.example.com@EXAMPLE.COM
7 2 host/cenvm02.example.com@EXAMPLE.COM
8 2 host/cenvm02.example.com@EXAMPLE.COM
ktutil: quit
[root@cenvm02 ~]#
cenvm03:
yum -y install pam_krb5 krb5-workstation
\cp /tmp/krb5.conf /etc/krb5.conf
[root@cenvm03 ~]# ktutil
ktutil: rkt /tmp/cenvm03.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/cenvm03.example.com@EXAMPLE.COM
2 2 host/cenvm03.example.com@EXAMPLE.COM
3 2 host/cenvm03.example.com@EXAMPLE.COM
4 2 host/cenvm03.example.com@EXAMPLE.COM
5 2 host/cenvm03.example.com@EXAMPLE.COM
6 2 host/cenvm03.example.com@EXAMPLE.COM
7 2 host/cenvm03.example.com@EXAMPLE.COM
8 2 host/cenvm03.example.com@EXAMPLE.COM
ktutil: quit
[root@cenvm03 ~]#
###part2 install and openldap
cenvm01
yum -y install openldap-servers openldap-clients migrationtools
[root@cenvm01 ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@cenvm01 ~]# chown -R ldap. /var/lib/ldap/
[root@cenvm01 ~]# id ldap
uid=55(ldap) gid=55(ldap) groups=55(ldap)
[root@cenvm01 ~]# slappasswd
New password:
Re-enter new password:
{SSHA}hV7t0ej8dgXNjJcF1nMT+aSGeRiwTx27
[root@cenvm01 ~]# cd /etc/openldap/slapd.d/cn\=config
[root@cenvm01 cn=config]# vi olcDatabase\=\{0\}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 709b5a17
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 181b5bb4-1dee-1038-9f9f-d702330f7fe2
creatorsName: cn=config
createTimestamp: 20180717091821Z
entryCSN: 20180717091821.466480Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180717091821Z
olcRootPW: {SSHA}hV7t0ej8dgXNjJcF1nMT+aSGeRiwTx27 #add
[root@cenvm01 cn=config]# vi olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2dd10505
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}hV7t0ej8dgXNjJcF1nMT+aSGeRiwTx27 #add
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 181b6ece-1dee-1038-9fa1-d702330f7fe2
creatorsName: cn=config
createTimestamp: 20180717091821Z
entryCSN: 20180717091821.466969Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180717091821Z
#add
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=example,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=example,dc=com" write by self write by * read
[root@cenvm01 cn=config]# vi olcDatabase\=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 52d29cfe
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=example,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 181b6906-1dee-1038-9fa0-d702330f7fe2
creatorsName: cn=config
createTimestamp: 20180717091821Z
entryCSN: 20180717091821.466820Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20180717091821Z
[root@cenvm01 cn=config]# systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
[root@cenvm01 cn=config]# systemctl start slapd
[root@cenvm01 cn=config]# netstat -nltp
[root@cenvm01 cn=config]# firewall-cmd --get-services|grep ldap --color
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
[root@cenvm01 cn=config]# firewall-cmd --permanent --add-service=ldap
success
[root@cenvm01 cn=config]# firewall-cmd --reload
success
[root@cenvm01 cn=config]# ll /etc/openldap/schema/
total 312
-r--r--r--. 1 root root 2036 May 16 17:56 collective.ldif
-r--r--r--. 1 root root 6190 May 16 17:56 collective.schema
-r--r--r--. 1 root root 1845 May 16 17:56 corba.ldif
-r--r--r--. 1 root root 8063 May 16 17:56 corba.schema
-r--r--r--. 1 root root 20612 May 16 17:56 core.ldif
-r--r--r--. 1 root root 20499 May 16 17:56 core.schema
-r--r--r--. 1 root root 12006 May 16 17:56 cosine.ldif
-r--r--r--. 1 root root 73994 May 16 17:56 cosine.schema
-r--r--r--. 1 root root 4842 May 16 17:56 duaconf.ldif
-r--r--r--. 1 root root 10388 May 16 17:56 duaconf.schema
-r--r--r--. 1 root root 3330 May 16 17:56 dyngroup.ldif
-r--r--r--. 1 root root 3289 May 16 17:56 dyngroup.schema
-r--r--r--. 1 root root 3481 May 16 17:56 inetorgperson.ldif
-r--r--r--. 1 root root 6267 May 16 17:56 inetorgperson.schema
-r--r--r--. 1 root root 2979 May 16 17:56 java.ldif
-r--r--r--. 1 root root 13901 May 16 17:56 java.schema
-r--r--r--. 1 root root 2082 May 16 17:56 misc.ldif
-r--r--r--. 1 root root 2387 May 16 17:56 misc.schema
-r--r--r--. 1 root root 6809 May 16 17:56 nis.ldif
-r--r--r--. 1 root root 7640 May 16 17:56 nis.schema
-r--r--r--. 1 root root 3308 May 16 17:56 openldap.ldif
-r--r--r--. 1 root root 1514 May 16 17:56 openldap.schema
-r--r--r--. 1 root root 6904 May 16 17:56 pmi.ldif
-r--r--r--. 1 root root 20467 May 16 17:56 pmi.schema
-r--r--r--. 1 root root 4570 May 16 17:56 ppolicy.ldif
-r--r--r--. 1 root root 20489 May 16 17:56 ppolicy.schema
[root@cenvm01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
[root@cenvm01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@cenvm01 cn=config]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[root@cenvm01 cn=config]# cd
[root@cenvm01 ~]# vi base.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o : example
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
[root@cenvm01 ~]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f base.ldif #密码不能用特殊字符
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Group,dc=example,dc=com"
[root@cenvm01 ~]# ldapsearch -x -D cn=Manager,dc=example,dc=com -W -b dc=example,dc=com
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example
# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
# Group, example.com
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
ou: Group
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
#add demouser
[root@cenvm01 ~]# useradd demouser1
[root@cenvm01 ~]# useradd demouser2
[root@cenvm01 ~]# id demouser1
uid=1000(demouser1) gid=1000(demouser1) groups=1000(demouser1)
[root@cenvm01 ~]# id demouser2
uid=1001(demouser2) gid=1001(demouser2) groups=1001(demouser2)
[root@cenvm01 ~]# cd /usr/share/migrationtools/
[root@cenvm01 migrationtools]# vi migrate_common.ph
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "panda.tv";
# Default base
$DEFAULT_BASE = "dc=example,dc=com";
# such as person.
$EXTENDED_SCHEMA = 1;
[root@cenvm01 migrationtools]# grep demo /etc/passwd >/tmp/users
[root@cenvm01 migrationtools]# grep demo /etc/group >/tmp/groups
[root@cenvm01 migrationtools]# ./migrate_passwd.pl /tmp/users /tmp/users.ldif
[root@cenvm01 migrationtools]# ./migrate_group.pl /tmp/groups /tmp/groups.ldif
[root@cenvm01 migrationtools]# cat /tmp/groups.ldif
dn: cn=demouser1,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: demouser1
userPassword: {crypt}x
gidNumber: 1000
dn: cn=demouser2,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: demouser2
userPassword: {crypt}x
gidNumber: 1001
[root@cenvm01 migrationtools]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /tmp/groups.ldif
Enter LDAP Password:
adding new entry "cn=demouser1,ou=Group,dc=example,dc=com"
adding new entry "cn=demouser2,ou=Group,dc=example,dc=com"
[root@cenvm01 migrationtools]# ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /tmp/users.ldif
Enter LDAP Password:
adding new entry "uid=demouser1,ou=People,dc=example,dc=com"
adding new entry "uid=demouser2,ou=People,dc=example,dc=com"
#cenvm02 cenvm03
yum -y install nss-pam-ldapd
[root@cenvm02 ~]# authconfig-tui
#add
use ldap
use kerberos
next
│ [ ] Use TLS
│ Server: ldap://cenvm01.example.com/│
│ Base DN: dc=example,dc=com
next
│
│ Realm: EXAMPLE.COM_____________________________ │
│ KDC: cenvm01.example.com_____________________ │
│ Admin Server: cenvm01.example.com_____________________ │
│ [*] Use DNS to resolve hosts to realms │
│ [ ] Use DNS to locate KDCs for realms
ok
[root@cenvm03 ~]# cat /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
[root@cenvm02 ~]# grep demo /etc/passwd
[root@cenvm02 ~]# getent passwd |grep demo
demouser1:x:1000:1000:demouser1:/home/demouser1:/bin/bash
demouser2:x:1001:1001:demouser2:/home/demouser2:/bin/bash
设置密码
[root@cenvm01 ~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc demouser1
WARNING: no policy specified for demouser1@EXAMPLE.COM; defaulting to no policy
Enter password for principal "demouser1@EXAMPLE.COM":
Re-enter password for principal "demouser1@EXAMPLE.COM":
Principal "demouser1@EXAMPLE.COM" created.
kadmin.local: addprinc demouser2
WARNING: no policy specified for demouser2@EXAMPLE.COM; defaulting to no policy
Enter password for principal "demouser2@EXAMPLE.COM":
Re-enter password for principal "demouser2@EXAMPLE.COM":
Principal "demouser2@EXAMPLE.COM" created.
kadmin.local: quit
#part 3 install nfs
cenvm01
yum -y install nfs-utils
vi /etc/exports
/home *(rw,sync)
systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload
showmount -e
#cenvm02 cenvm03
yum install nfs-utils autofs
vi /etc/auto.master
#add
/home /etc/auto.autofs --timeout=600
vi /etc/auto.autofs
#add
* cenvm01:/home/&
systemctl enable autofs
systemctl start autofs
systemctl restart autofs
vi /etc/ssh/ssh_config
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
vi /etc/ssh/sshd_config
GSSAPIAuthentication yes
systemctl reload sshd
ssh demouser1@cenvm02
ssh demouser2@cenvm02
ssh demouser1@cenvm03
ssh demouser2@cenvm03
id
pwd
mount |grep demo
klist