Bo's Oracle Station

查看: 1529|回复: 0

课程第33次

[复制链接]

1005

主题

1469

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
12012
发表于 2019-6-30 09:06:46 | 显示全部楼层 |阅读模式
首先请把Instructor虚拟机初始化一下:
/root/bin/gls-setup-tls-ca --reverse  
/root/bin/gls-setup-tls-ca
/root/bin/gls-setup-ldap --reverse  
/root/bin/gls-setup-ldap
/root/bin/gls-setup-krb5 --reverse  
/root/bin/gls-setup-krb5
用Instructor虚拟机直接实现kerberos化的NFS(不用IPAserver,见课程第20次):
在Instructor(三台时间要同步ntpdate -b):


  1. [root@instructor bin]# kadmin.local
  2. Authenticating as principal root/admin@EXAMPLE.COM with password.
  3. kadmin.local:  ?
  4. Available kadmin.local requests:

  5. add_principal, addprinc, ank
  6.                          Add principal
  7. delete_principal, delprinc
  8.                          Delete principal
  9. modify_principal, modprinc
  10.                          Modify principal
  11. change_password, cpw     Change password
  12. get_principal, getprinc  Get principal
  13. list_principals, listprincs, get_principals, getprincs
  14.                          List principals
  15. add_policy, addpol       Add policy
  16. modify_policy, modpol    Modify policy
  17. delete_policy, delpol    Delete policy
  18. get_policy, getpol       Get policy
  19. list_policies, listpols, get_policies, getpols
  20.                          List policies
  21. get_privs, getprivs      Get privileges
  22. ktadd, xst               Add entry(s) to a keytab
  23. ktremove, ktrem          Remove entry(s) from a keytab
  24. lock                     Lock database exclusively (use with extreme caution!)
  25. unlock                   Release exclusive database lock
  26. kadmin.local:  list_principals
  27. K/M@EXAMPLE.COM
  28. kadmin/admin@EXAMPLE.COM
  29. kadmin/changepw@EXAMPLE.COM
  30. kadmin/instructor.example.com@EXAMPLE.COM
  31. krbtgt/EXAMPLE.COM@EXAMPLE.COM
  32. ldapuser10@EXAMPLE.COM
  33. ldapuser11@EXAMPLE.COM
  34. ldapuser12@EXAMPLE.COM
  35. ldapuser13@EXAMPLE.COM
  36. ldapuser14@EXAMPLE.COM
  37. ldapuser15@EXAMPLE.COM
  38. ldapuser16@EXAMPLE.COM
  39. ldapuser17@EXAMPLE.COM
  40. ldapuser18@EXAMPLE.COM
  41. ldapuser19@EXAMPLE.COM
  42. ldapuser1@EXAMPLE.COM
  43. ldapuser20@EXAMPLE.COM
  44. ldapuser2@EXAMPLE.COM
  45. ldapuser3@EXAMPLE.COM
  46. ldapuser4@EXAMPLE.COM
  47. ldapuser5@EXAMPLE.COM
  48. ldapuser6@EXAMPLE.COM
  49. ldapuser7@EXAMPLE.COM
  50. ldapuser8@EXAMPLE.COM
  51. ldapuser9@EXAMPLE.COM
  52. kadmin.local:
复制代码
添加主机和NFS主机principals:
  1. kadmin.local:  addprinc  root/admin
  2. WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
  3. Enter password for principal "root/admin@EXAMPLE.COM":
  4. Re-enter password for principal "root/admin@EXAMPLE.COM":
  5. Principal "root/admin@EXAMPLE.COM" created.
  6. kadmin.local:  addprinc -randkey host/instructor.example.com
  7. WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
  8. Principal "host/instructor.example.com@EXAMPLE.COM" created.
  9. kadmin.local:  addprinc -randkey host/desktop3.example.com
  10. WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
  11. Principal "host/desktop3.example.com@EXAMPLE.COM" created.
  12. kadmin.local:  addprinc -randkey host/server3.example.com
  13. WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaulting to no policy
  14. Principal "host/server3.example.com@EXAMPLE.COM" created.
  15. kadmin.local:  addprinc -randkey nfs/desktop3.example.com
  16. WARNING: no policy specified for nfs/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
  17. Principal "nfs/desktop3.example.com@EXAMPLE.COM" created.
  18. kadmin.local:  addprinc -randkey nfs/server3.example.com
  19. WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
  20. Principal "nfs/server3.example.com@EXAMPLE.COM" created.
  21. kadmin.local:  list_principals
  22. K/M@EXAMPLE.COM
  23. host/desktop3.example.com@EXAMPLE.COM
  24. host/instructor.example.com@EXAMPLE.COM
  25. host/server3.example.com@EXAMPLE.COM
  26. kadmin/admin@EXAMPLE.COM
  27. kadmin/changepw@EXAMPLE.COM
  28. kadmin/instructor.example.com@EXAMPLE.COM
  29. krbtgt/EXAMPLE.COM@EXAMPLE.COM
  30. ldapuser10@EXAMPLE.COM
  31. ldapuser11@EXAMPLE.COM
  32. ldapuser12@EXAMPLE.COM
  33. ldapuser13@EXAMPLE.COM
  34. ldapuser14@EXAMPLE.COM
  35. ldapuser15@EXAMPLE.COM
  36. ldapuser16@EXAMPLE.COM
  37. ldapuser17@EXAMPLE.COM
  38. ldapuser18@EXAMPLE.COM
  39. ldapuser19@EXAMPLE.COM
  40. ldapuser1@EXAMPLE.COM
  41. ldapuser20@EXAMPLE.COM
  42. ldapuser2@EXAMPLE.COM
  43. ldapuser3@EXAMPLE.COM
  44. ldapuser4@EXAMPLE.COM
  45. ldapuser5@EXAMPLE.COM
  46. ldapuser6@EXAMPLE.COM
  47. ldapuser7@EXAMPLE.COM
  48. ldapuser8@EXAMPLE.COM
  49. ldapuser9@EXAMPLE.COM
  50. nfs/desktop3.example.com@EXAMPLE.COM
  51. nfs/server3.example.com@EXAMPLE.COM
  52. root/admin@EXAMPLE.COM
  53. kadmin.local:
复制代码
删除旧的krb5.keytab:
  1. [root@instructor bin]# cd /etc/
  2. [root@instructor etc]# ls -l krb5.*
  3. -rw-r--r--. 1 root root 449 Feb 18  2010 krb5.conf
  4. -rw-r--r--. 1 root root 453 Oct  2  2010 krb5.conf-gls
  5. -rw-------. 1 root root 131 May 26 08:34 krb5.keytab
  6. [root@instructor etc]# rm -rf krb5.keytab
  7. [root@instructor etc]#
复制代码
分别生成客户端的keytab和服务器端的keytab:


  1. [root@instructor etc]# kadmin.local
  2. Authenticating as principal root/admin@EXAMPLE.COM with password.
  3. kadmin.local:  ktadd host/desktop4.example.com
  4. kadmin.local: Principal host/desktop4.example.com does not exist.
  5. kadmin.local:  list_principals
  6. K/M@EXAMPLE.COM
  7. host/desktop3.example.com@EXAMPLE.COM
  8. host/instructor.example.com@EXAMPLE.COM
  9. host/server3.example.com@EXAMPLE.COM
  10. kadmin/admin@EXAMPLE.COM
  11. kadmin/changepw@EXAMPLE.COM
  12. kadmin/instructor.example.com@EXAMPLE.COM
  13. krbtgt/EXAMPLE.COM@EXAMPLE.COM
  14. ldapuser10@EXAMPLE.COM
  15. ldapuser11@EXAMPLE.COM
  16. ldapuser12@EXAMPLE.COM
  17. ldapuser13@EXAMPLE.COM
  18. ldapuser14@EXAMPLE.COM
  19. ldapuser15@EXAMPLE.COM
  20. ldapuser16@EXAMPLE.COM
  21. ldapuser17@EXAMPLE.COM
  22. ldapuser18@EXAMPLE.COM
  23. ldapuser19@EXAMPLE.COM
  24. ldapuser1@EXAMPLE.COM
  25. ldapuser20@EXAMPLE.COM
  26. ldapuser2@EXAMPLE.COM
  27. ldapuser3@EXAMPLE.COM
  28. ldapuser4@EXAMPLE.COM
  29. ldapuser5@EXAMPLE.COM
  30. ldapuser6@EXAMPLE.COM
  31. ldapuser7@EXAMPLE.COM
  32. ldapuser8@EXAMPLE.COM
  33. ldapuser9@EXAMPLE.COM
  34. nfs/desktop3.example.com@EXAMPLE.COM
  35. nfs/server3.example.com@EXAMPLE.COM
  36. root/admin@EXAMPLE.COM
  37. kadmin.local:  ktadd host/desktop3.example.com
  38. Entry for principal host/desktop3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  39. Entry for principal host/desktop3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  40. Entry for principal host/desktop3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  41. Entry for principal host/desktop3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
  42. Entry for principal host/desktop3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  43. Entry for principal host/desktop3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
  44. kadmin.local:  quit
  45. [root@instructor etc]# ls
复制代码

  1. [root@instructor etc]# stat krb5.keytab
  2.   File: `krb5.keytab'
  3.   Size: 466             Blocks: 8          IO Block: 4096   regular file
  4. Device: fd01h/64769d    Inode: 949         Links: 1
  5. Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
  6. Access: 2019-06-29 15:50:09.895532024 +0800
  7. Modify: 2019-06-29 15:50:09.895532024 +0800
  8. Change: 2019-06-29 15:50:09.895532024 +0800
  9. [root@instructor etc]# date
  10. Sat Jun 29 15:50:32 CST 2019
  11. [root@instructor etc]# cp krb5.keytab  krb5.keytab.client
复制代码
  1. [root@instructor etc]# kadmin.local
  2. Authenticating as principal root/admin@EXAMPLE.COM with password.
  3. kadmin.local:  ktadd host/server3.example.com
  4. Entry for principal host/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  5. Entry for principal host/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  6. Entry for principal host/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  7. Entry for principal host/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
  8. Entry for principal host/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  9. Entry for principal host/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
  10. kadmin.local:  ktadd nfs/server3.example.com
  11. Entry for principal nfs/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  12. Entry for principal nfs/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
  13. Entry for principal nfs/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  14. Entry for principal nfs/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
  15. Entry for principal nfs/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
  16. Entry for principal nfs/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
  17. kadmin.local:  quit
  18. [root@instructor etc]# stat krb5.keytab
  19.   File: `krb5.keytab'
  20.   Size: 1376            Blocks: 8          IO Block: 4096   regular file
  21. Device: fd01h/64769d    Inode: 949         Links: 1
  22. Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
  23. Access: 2019-06-29 15:53:04.105522237 +0800
  24. Modify: 2019-06-29 15:53:04.105522237 +0800
  25. Change: 2019-06-29 15:53:04.105522237 +0800
  26. [root@instructor etc]# date
  27. Sat Jun 29 15:53:22 CST 2019
  28. [root@instructor etc]# cp krb5.keytab krb5.keytab.server
  29. [root@instructor etc]#
复制代码
在Instructor虚拟机上,要打开service krb5kdc start






回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|手机版|Bo's Oracle Station   

GMT+8, 2024-11-23 15:57 , Processed in 0.041126 second(s), 24 queries .

快速回复 返回顶部 返回列表