1. 安装kerberos
server
yum install krb5-server krb5-libs krb5-auth-dialog
client
yum install krb5-workstation krb5-libs krb5-auth-dialog
2. hosts
10.112.29.9 kerberos.jenkin.com kerberos
10.112.29.10 kerberos2.jenkin.com kerberos2
10.112.29.10 kdc.jenkin.com kdc
3. 修改配置文件
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = JENKIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true [realms]
JENKIN.COM = {
kdc = kerberos.jenkin.com
kdc = kerberos2.jenkin.com
admin_server = kerberos.jenkin.com
} [domain_realm]
.jenkin.com = JENKIN.COM
jenkin.com = JENKIN.COM
/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_listen = 88 [realms]
JENKIN.COM = {
master_key_type = aes256-cts
kadmind_port = 749
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal
#des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
4. 初始化数据库
kdb5_util create -r JENKIN.COM -s
等待一会,输入设定密码。
5. 添加principal
kadmin.local addprinc admin/[email protected]
输入设定密码。
ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
6. 修改acl
vim /var/kerberos/krb5kdc/kadm5.acl */[email protected] *
7. 启动krb5kdc, kadmin
service krb5kdc start service kadmin start
server搭建完成。
slave搭建:
添加principal:
kadmin.local
addprinc -randkey host/kerberos.jenkin.com
addprinc -randkey host/kerberos2.jenkin.com ktadd -k /etc/krb5.keytab host/kerberos.jenkin.com
ktadd -k /etc/krb5.keytab host/kerberos2.jenkin.com
将master上的 kdc.conf, .k5.JENKIN.COM, kadm5.acl, /etc/krb5.conf, /etc/krb5.keytab拷贝至slave响应文件夹。
在slave上添加/var/kerberos/krb5kdc/kpropd.acl
host/[email protected]
host/[email protected]
slave启动:kpropd -S
同步数据至slave db
在master上:
kdb5_util dump /var/kerberos/krb5kdc/slave_data scp slave_data slave_data.dump_ok kerberos2.jenkin.com:/var/kerberos/krb5kdc/
scp /etc/krb5.keytab kerberos2.jenkin.com:/etc/ kprop -f /var/kerberos/krb5kdc/slave_data kerberos2.jenkin.com
成功:提示:Database propagation to kerberos2.jenkin.com: SUCCEEDED
注意:hostname一定要单一。从日志中能看出来。
8. 搭建client
将.k5.JENKIN.COM kadm5.acl kdc.conf krb5.conf拷贝至其他机器。如果机器只作为client,不作为 从服务器,则只需要拷贝 krb5.conf即可。从服务器才需要全拷贝下面5个文件。
scp .k5.JENKIN.COM kadm5.acl kdc.conf master2:/var/kerberos/krb5kdc/ scp /etc/krb5.conf master2:/etc/
9. 登陆kadmin
kadmin 数据密码
client的kadmin能正常连接则表明搭建成功。
官网doc:http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/install_kdc.html
日常操作:
添加principal
kadmin.local
addprinc admin/admin
其他机器查看:
kinit admin/admin
删除、查看、修改:
kamdin:addprinc -randkey root/master1
kamdin:delprinc root/admin
kamdin:listprincs命令
kadmin:change_password -pw admin root/admin
kadmin:modify_principal