zoukankan      html  css  js  c++  java
  • centos下 kerberos安装手册

    (一)yum方式安装

    安装krb的server
    步骤一:
    yum install krb5-server 

    安装krb 的客户端
    yum install krb5-workstation krb5-libs krb5-auth-dialog

    (二)修改配置

    修改三个配置文件
    #第一个文件,修改[realms]里的kdc和admin_server所在主机,EXAMPLE.COM这个域名也应修改

    vi /etc/krb5.conf

    [libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = STARYEA.COM
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

    [logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log

    [realms]
    STARYEA.COM = {
    admin_server = nn2:88
    kdc = nn2:88
    }

    [domain_realm]
    .staryea.com = STARYEA.COM
    staryea.com = STARYEA.COM

    vi /var/kerberos/krb5kdc/kdc.conf
    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

    [realms]
    STARYEA.COM = {
    #master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    }

    编辑 Kerberos 访问控制列表文件 (kadm5.acl) 文件应包含允许管理 KDC 的所有主体名称。
    [root@nn2 Packages]# cat /var/kerberos/krb5kdc/kadm5.acl
    */admin@STARYEA.COM *

    (三)使用命令 创建 kerberos的database 

    kdb5_util create -s -r STARYEA.COM

    重启服务

    service krb5kdc restart

    service kadmin start

    (三) 创建 kerberos的管理员

    #kadmin.local
    kadmin.local: addprinc admin/admin@STARYEA.COM
    WARNING: no policy specified for admin/admin@STARYEA.COM; defaulting to no policy
    Enter password for principal "admin/admin@STARYEA.COM": admin123
    Re-enter password for principal "admin/admin@STARYEA.COM": admin123
    Principal "admin/admin@STARYEA.COM" created.

    (四) 创建 kerberos的用户

     #kadmin.local 

    addprinc -randkey it1/主机的全域名@STARYEA.COM

    导出keytab

    xst -k /home/it1/it1.app.keytab it1/主机的全域名@STARYEA.COM

    一般使用400 权限给用户

    chown it1.it1  /home/it1/it1.app.keytab

    chmod 400  /home/it1/it1.app.keytab

    (五)使用

    su - it1

    kinit -kt /home/it1/it1.app.keytab it1/主机的全域名@STARYEA.COM

  • 相关阅读:
    python 3.x报错:No module named 'cookielib'或No module named 'urllib2'
    Xshell实现Windows和使用跳板机跳转的远程Linux互传文件
    Linux scp常用命令
    正则表达式
    [NBUT 1458 Teemo]区间第k大问题,划分树
    [hdu5416 CRB and Tree]树上路径异或和,dfs
    [vijos P1008 篝火晚会]置换
    [hdu5411 CRB and Puzzle]DP,矩阵快速幂
    [hdu4713 Permutation]DP
    [hdu4710 Balls Rearrangement]分段统计
  • 原文地址:https://www.cnblogs.com/staryea/p/8513937.html
Copyright © 2011-2022 走看看