|
|
***RHEL7***
1. 对INSTRUCTOR(老旧的技术)初始化
1.1 时间服务器
- [root@instructor etc]# service ntpd restart
- Shutting down ntpd: [ OK ]
- Starting ntpd: [ OK ]
- [root@instructor etc]# ntpq
- ntpq> peer
- remote refid st t when poll reach delay offset jitter
- ==============================================================================
- LOCAL(0) .LOCL. 10 l 5 64 1 0.000 0.000 0.000
- ntpq> peer
- remote refid st t when poll reach delay offset jitter
- ==============================================================================
- LOCAL(0) .LOCL. 10 l 14 64 3 0.000 0.000 0.000
- ntpq> peer
- remote refid st t when poll reach delay offset jitter
- ==============================================================================
- LOCAL(0) .LOCL. 10 l 50 64 3 0.000 0.000 0.000
- ntpq> peer
- remote refid st t when poll reach delay offset jitter
- ==============================================================================
- *LOCAL(0) .LOCL. 10 l 59 64 17 0.000 0.000 0.000
- ntpq>
- [root@desktop3 ~]# ntpdate -b 192.168.0.254
- 21 Feb 20:40:10 ntpdate[66154]: step time server 192.168.0.254 offset -28788.322828 sec
2. CA (tls CA) + LDAP + KERBEROS
- [root@instructor bin]# ./gls-setup-tls-ca
- Generating a 1024 bit RSA private key
- .........++++++
- ...............++++++
- writing new private key to 'private/example-ca.key'
- -----
- [root@instructor bin]# pwd
- /root/bin
- [root@instructor bin]#
- [root@instructor bin]# ./gls-setup-ldap --reverse
- [root@instructor bin]# ./gls-setup-ldap
- Generating a 1024 bit RSA private key
- ........++++++
- .........++++++
- writing new private key to 'slapd.key'
- -----
- Using configuration from /etc/pki/tls/openssl.cnf
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Feb 21 12:59:00 2020 GMT
- Not After : Feb 20 12:59:00 2021 GMT
- Subject:
- countryName = US
- stateOrProvinceName = North Carolina
- organizationName = Example, Inc.
- commonName = instructor.example.com
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- A6:08:BB:79:71:95:D9:CE:98:AA:81:65:9B:9A:FD:DF:30:2A:8D:DA
- X509v3 Authority Key Identifier:
- keyid:83:5C:FB:11:1C:5D:5A:AB:44:9F:25:5C:80:F6:4E:03:6C:AF:23:41
- DirName:/C=US/ST=North Carolina/L=Raleigh/O=Example, Inc./CN=example.com Certificate Authority
- serial:A2:E8:65:EB:BA:30:06:D5
- Certificate is to be certified until Feb 20 12:59:00 2021 GMT (365 days)
- Write out database with 1 new entries
- Data Base Updated
- bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
- _#################### 100.00% eta none elapsed none fast!
- Closing DB...
- bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
- _#################### 100.00% eta none elapsed none fast!
- Closing DB...
- bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
- _#################### 100.00% eta none elapsed none fast!
- Closing DB...
- [root@instructor bin]#
/etc/krb5.conf
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
- default_realm = EXAMPLE.COM
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
- [realms]
- EXAMPLE.COM = {
- kdc = kerberos.example.com
- admin_server = kerberos.example.com
- }
- [domain_realm]
- .example.com = EXAMPLE.COM
- example.com = EXAMPLE.COM
- [root@instructor bin]# ./gls-setup-krb5 --reverse
- Stopping Kerberos 5 KDC: [ OK ]
- ** Database '/var/kerberos/krb5kdc/principal' destroyed.
- [root@instructor bin]# ./gls-setup-krb5
- Loading random data
- Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
- master key name 'K/M@EXAMPLE.COM'
- Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser1
- WARNING: no policy specified for ldapuser1@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser1@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser2
- WARNING: no policy specified for ldapuser2@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser2@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser3
- WARNING: no policy specified for ldapuser3@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser3@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser4
- WARNING: no policy specified for ldapuser4@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser4@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser5
- WARNING: no policy specified for ldapuser5@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser5@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser6
- WARNING: no policy specified for ldapuser6@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser6@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser7
- WARNING: no policy specified for ldapuser7@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser7@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser8
- WARNING: no policy specified for ldapuser8@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser8@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser9
- WARNING: no policy specified for ldapuser9@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser9@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser10
- WARNING: no policy specified for ldapuser10@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser10@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser11
- WARNING: no policy specified for ldapuser11@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser11@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser12
- WARNING: no policy specified for ldapuser12@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser12@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser13
- WARNING: no policy specified for ldapuser13@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser13@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser14
- WARNING: no policy specified for ldapuser14@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser14@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser15
- WARNING: no policy specified for ldapuser15@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser15@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser16
- WARNING: no policy specified for ldapuser16@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser16@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser17
- WARNING: no policy specified for ldapuser17@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser17@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser18
- WARNING: no policy specified for ldapuser18@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser18@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser19
- WARNING: no policy specified for ldapuser19@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser19@EXAMPLE.COM" created.
- kadmin.local: Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: add_principal -pw kerberos ldapuser20
- WARNING: no policy specified for ldapuser20@EXAMPLE.COM; defaulting to no policy
- Principal "ldapuser20@EXAMPLE.COM" created.
很重要:
- [root@instructor etc]# service kadmin status
- kadmind is stopped
- [root@instructor etc]# service kadmin start
- Starting Kerberos 5 Admin Server: [ OK ]
- [root@instructor etc]# chkconfig kadmin on
- [root@instructor etc]# service krb5kdc status
- krb5kdc is stopped
- [root@instructor etc]# service krb5kdc start
- Starting Kerberos 5 KDC: [ OK ]
- [root@instructor etc]# chkconfig krb5kdc on
- [root@instructor etc]#
- [root@instructor certs]# pwd
- /etc/pki/tls/certs
- [root@instructor certs]# ls -l server*
- -rw-------. 1 root root 3503 Apr 20 2019 server10.crt
- -rw-------. 1 root root 4416 Apr 20 2019 server10.pem
- -rw-------. 1 root root 3503 Apr 20 2019 server11.crt
- -rw-------. 1 root root 4420 Apr 20 2019 server11.pem
- -rw-------. 1 root root 3503 Apr 20 2019 server12.crt
- -rw-------. 1 root root 4420 Apr 20 2019 server12.pem
- -rw-------. 1 root root 3503 Apr 20 2019 server13.crt
- -rw-------. 1 root root 4420 Apr 20 2019 server13.pem
- -rw-------. 1 root root 3503 Apr 20 2019 server14.crt
- -rw-------. 1 root root 4420 Apr 20 2019 server14.pem
- -rw-------. 1 root root 3504 Apr 20 2019 server15.crt
- -rw-------. 1 root root 4421 Apr 20 2019 server15.pem
- -rw-------. 1 root root 3504 Apr 20 2019 server16.crt
- -rw-------. 1 root root 4421 Apr 20 2019 server16.pem
- -rw-------. 1 root root 3504 Apr 20 2019 server17.crt
- -rw-------. 1 root root 4421 Apr 20 2019 server17.pem
- -rw-------. 1 root root 3504 Apr 20 2019 server18.crt
- -rw-------. 1 root root 4421 Apr 20 2019 server18.pem
- -rw-------. 1 root root 3504 Apr 20 2019 server19.crt
- -rw-------. 1 root root 4421 Apr 20 2019 server19.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server1.crt
- -rw-------. 1 root root 4418 Apr 20 2019 server1.pem
- -rw-------. 1 root root 3504 Apr 20 2019 server20.crt
- -rw-------. 1 root root 4417 Apr 20 2019 server20.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server2.crt
- -rw-------. 1 root root 4414 Apr 20 2019 server2.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server3.crt
- -rw-------. 1 root root 4418 Apr 20 2019 server3.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server4.crt
- -rw-------. 1 root root 4418 Apr 20 2019 server4.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server5.crt
- -rw-------. 1 root root 4422 Apr 20 2019 server5.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server6.crt
- -rw-------. 1 root root 4418 Apr 20 2019 server6.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server7.crt
- -rw-------. 1 root root 4414 Apr 20 2019 server7.pem
- -rw-------. 1 root root 3501 Apr 20 2019 server8.crt
- -rw-------. 1 root root 4418 Apr 20 2019 server8.pem
- -rw-------. 1 root root 3502 Apr 20 2019 server9.crt
- -rw-------. 1 root root 4419 Apr 20 2019 server9.pem
- [root@instructor certs]# rm -f server*
- [root@instructor certs]# cd ..
- [root@instructor tls]# ls
- cert.pem certs misc openssl.cnf openssl.cnf-gls openssl.cnf-glsorig private
- [root@instructor tls]# cd private/
- [root@instructor private]# ls
- localhost.key server13.key server17.key server20.key server5.key server9.key
- server10.key server14.key server18.key server2.key server6.key
- server11.key server15.key server19.key server3.key server7.key
- server12.key server16.key server1.key server4.key server8.key
- [root@instructor private]# ls -l server*
- -rw-------. 1 root root 912 Apr 20 2019 server10.key
- -rw-------. 1 root root 916 Apr 20 2019 server11.key
- -rw-------. 1 root root 916 Apr 20 2019 server12.key
- -rw-------. 1 root root 916 Apr 20 2019 server13.key
- -rw-------. 1 root root 916 Apr 20 2019 server14.key
- -rw-------. 1 root root 916 Apr 20 2019 server15.key
- -rw-------. 1 root root 916 Apr 20 2019 server16.key
- -rw-------. 1 root root 916 Apr 20 2019 server17.key
- -rw-------. 1 root root 916 Apr 20 2019 server18.key
- -rw-------. 1 root root 916 Apr 20 2019 server19.key
- -rw-------. 1 root root 916 Apr 20 2019 server1.key
- -rw-------. 1 root root 912 Apr 20 2019 server20.key
- -rw-------. 1 root root 912 Apr 20 2019 server2.key
- -rw-------. 1 root root 916 Apr 20 2019 server3.key
- -rw-------. 1 root root 916 Apr 20 2019 server4.key
- -rw-------. 1 root root 920 Apr 20 2019 server5.key
- -rw-------. 1 root root 916 Apr 20 2019 server6.key
- -rw-------. 1 root root 912 Apr 20 2019 server7.key
- -rw-------. 1 root root 916 Apr 20 2019 server8.key
- -rw-------. 1 root root 916 Apr 20 2019 server9.key
- [root@instructor private]# rm -f server*
- [root@instructor private]#
- [root@instructor bin]# pwd
- /root/bin
- [root@instructor bin]# ./gls-setup-gen-sslcerts
3. 考试正式题目DESKTOP/SERVER接入远程用户:
类似于ipa-client-install
4. 实现类似于ipa host-add server$i.example.com ipa host-add desktop$i.example.com的功能:
- [root@instructor etc]# kadmin.local
- Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: addprinc root/admin
- WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
- Enter password for principal "root/admin@EXAMPLE.COM":
- Re-enter password for principal "root/admin@EXAMPLE.COM":
- Principal "root/admin@EXAMPLE.COM" created.
- kadmin.local: ?
- Available kadmin.local requests:
- add_principal, addprinc, ank
- Add principal
- delete_principal, delprinc
- Delete principal
- modify_principal, modprinc
- Modify principal
- change_password, cpw Change password
- get_principal, getprinc Get principal
- list_principals, listprincs, get_principals, getprincs
- List principals
- add_policy, addpol Add policy
- modify_policy, modpol Modify policy
- delete_policy, delpol Delete policy
- get_policy, getpol Get policy
- list_policies, listpols, get_policies, getpols
- List policies
- get_privs, getprivs Get privileges
- ktadd, xst Add entry(s) to a keytab
- ktremove, ktrem Remove entry(s) from a keytab
- lock Lock database exclusively (use with extreme caution!)
- unlock Release exclusive database lock
- purgekeys Purge previously retained old keys from a principal
- list_requests, lr, ? List available requests.
- quit, exit, q Exit program.
- kadmin.local: list_principals
- K/M@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/instructor.example.com@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- ldapuser10@EXAMPLE.COM
- ldapuser11@EXAMPLE.COM
- ldapuser12@EXAMPLE.COM
- ldapuser13@EXAMPLE.COM
- ldapuser14@EXAMPLE.COM
- ldapuser15@EXAMPLE.COM
- ldapuser16@EXAMPLE.COM
- ldapuser17@EXAMPLE.COM
- ldapuser18@EXAMPLE.COM
- ldapuser19@EXAMPLE.COM
- ldapuser1@EXAMPLE.COM
- ldapuser20@EXAMPLE.COM
- ldapuser2@EXAMPLE.COM
- ldapuser3@EXAMPLE.COM
- ldapuser4@EXAMPLE.COM
- ldapuser5@EXAMPLE.COM
- ldapuser6@EXAMPLE.COM
- ldapuser7@EXAMPLE.COM
- ldapuser8@EXAMPLE.COM
- ldapuser9@EXAMPLE.COM
- root/admin@EXAMPLE.COM
- kadmin.local: addprinc -randkey host/instructor.example.com
- WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "host/instructor.example.com@EXAMPLE.COM" created.
- kadmin.local: addprinc -randkey host/server3.example.com
- WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "host/server3.example.com@EXAMPLE.COM" created.
- kadmin.local: addprinc -randkey host/desktop3.example.com
- WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "host/desktop3.example.com@EXAMPLE.COM" created.
- kadmin.local: addprinc -randkey nfs/server3.example.com
- WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "nfs/server3.example.com@EXAMPLE.COM" created.
- kadmin.local: list_principals
- K/M@EXAMPLE.COM
- host/desktop3.example.com@EXAMPLE.COM
- host/instructor.example.com@EXAMPLE.COM
- host/server3.example.com@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/instructor.example.com@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- ldapuser10@EXAMPLE.COM
- ldapuser11@EXAMPLE.COM
- ldapuser12@EXAMPLE.COM
- ldapuser13@EXAMPLE.COM
- ldapuser14@EXAMPLE.COM
- ldapuser15@EXAMPLE.COM
- ldapuser16@EXAMPLE.COM
- ldapuser17@EXAMPLE.COM
- ldapuser18@EXAMPLE.COM
- ldapuser19@EXAMPLE.COM
- ldapuser1@EXAMPLE.COM
- ldapuser20@EXAMPLE.COM
- ldapuser2@EXAMPLE.COM
- ldapuser3@EXAMPLE.COM
- ldapuser4@EXAMPLE.COM
- ldapuser5@EXAMPLE.COM
- ldapuser6@EXAMPLE.COM
- ldapuser7@EXAMPLE.COM
- ldapuser8@EXAMPLE.COM
- ldapuser9@EXAMPLE.COM
- nfs/server3.example.com@EXAMPLE.COM
- root/admin@EXAMPLE.COM
- kadmin.local:
- [root@instructor etc]# kadmin.local
- Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: addprinc root/admin
- WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
- Enter password for principal "root/admin@EXAMPLE.COM":
- Re-enter password for principal "root/admin@EXAMPLE.COM":
- Principal "root/admin@EXAMPLE.COM" created.
- kadmin.local: ?
- Available kadmin.local requests:
- add_principal, addprinc, ank
- Add principal
- delete_principal, delprinc
- Delete principal
- modify_principal, modprinc
- Modify principal
- change_password, cpw Change password
- get_principal, getprinc Get principal
- list_principals, listprincs, get_principals, getprincs
- List principals
- add_policy, addpol Add policy
- modify_policy, modpol Modify policy
- delete_policy, delpol Delete policy
- get_policy, getpol Get policy
- list_policies, listpols, get_policies, getpols
- List policies
- get_privs, getprivs Get privileges
- ktadd, xst Add entry(s) to a keytab
- ktremove, ktrem Remove entry(s) from a keytab
- lock Lock database exclusively (use with extreme caution!)
- unlock Release exclusive database lock
- purgekeys Purge previously retained old keys from a principal
- list_requests, lr, ? List available requests.
- quit, exit, q Exit program.
- kadmin.local: list_principals
- K/M@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/instructor.example.com@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- ldapuser10@EXAMPLE.COM
- ldapuser11@EXAMPLE.COM
- ldapuser12@EXAMPLE.COM
- ldapuser13@EXAMPLE.COM
- ldapuser14@EXAMPLE.COM
- ldapuser15@EXAMPLE.COM
- ldapuser16@EXAMPLE.COM
- ldapuser17@EXAMPLE.COM
- ldapuser18@EXAMPLE.COM
- ldapuser19@EXAMPLE.COM
- ldapuser1@EXAMPLE.COM
- ldapuser20@EXAMPLE.COM
- ldapuser2@EXAMPLE.COM
- ldapuser3@EXAMPLE.COM
- ldapuser4@EXAMPLE.COM
- ldapuser5@EXAMPLE.COM
- ldapuser6@EXAMPLE.COM
- ldapuser7@EXAMPLE.COM
- ldapuser8@EXAMPLE.COM
- ldapuser9@EXAMPLE.COM
- root/admin@EXAMPLE.COM
- kadmin.local: addprinc -randkey host/instructor.example.com
- WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "host/instructor.example.com@EXAMPLE.COM" created.
- kadmin.local: addprinc -randkey host/server3.example.com
- WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "host/server3.example.com@EXAMPLE.COM" created.
- kadmin.local: addprinc -randkey host/desktop3.example.com
- WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "host/desktop3.example.com@EXAMPLE.COM" created.
- kadmin.local: addprinc -randkey nfs/server3.example.com
- WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
- Principal "nfs/server3.example.com@EXAMPLE.COM" created.
- kadmin.local: list_principals
- K/M@EXAMPLE.COM
- host/desktop3.example.com@EXAMPLE.COM
- host/instructor.example.com@EXAMPLE.COM
- host/server3.example.com@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/instructor.example.com@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- ldapuser10@EXAMPLE.COM
- ldapuser11@EXAMPLE.COM
- ldapuser12@EXAMPLE.COM
- ldapuser13@EXAMPLE.COM
- ldapuser14@EXAMPLE.COM
- ldapuser15@EXAMPLE.COM
- ldapuser16@EXAMPLE.COM
- ldapuser17@EXAMPLE.COM
- ldapuser18@EXAMPLE.COM
- ldapuser19@EXAMPLE.COM
- ldapuser1@EXAMPLE.COM
- ldapuser20@EXAMPLE.COM
- ldapuser2@EXAMPLE.COM
- ldapuser3@EXAMPLE.COM
- ldapuser4@EXAMPLE.COM
- ldapuser5@EXAMPLE.COM
- ldapuser6@EXAMPLE.COM
- ldapuser7@EXAMPLE.COM
- ldapuser8@EXAMPLE.COM
- ldapuser9@EXAMPLE.COM
- nfs/server3.example.com@EXAMPLE.COM
- root/admin@EXAMPLE.COM
- kadmin.local: q
- [root@instructor etc]# kinit root/admin
- Password for root/admin@EXAMPLE.COM:
- [root@instructor etc]# ls -l krb5.keytab
- krb5.keytab krb5.keytab.client krb5.keytab.server
- [root@instructor etc]# ls -l krb5.keytab*
- -rw-------. 1 root root 1376 Jun 29 2019 krb5.keytab
- -rw-------. 1 root root 466 Jun 29 2019 krb5.keytab.client
- -rw-------. 1 root root 1376 Jun 29 2019 krb5.keytab.server
- [root@instructor etc]# rm -f krb5.keytab*
- [root@instructor etc]# kadmin.local
- Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: ktadd host/desktop3.example.com
- Entry for principal host/desktop3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/desktop3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/desktop3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/desktop3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/desktop3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/desktop3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
- kadmin.local: q
- [root@instructor etc]# cp krb5.keytab /var/ftp/pub/krb5.keytab.client
- [root@instructor etc]# ktutil
- ktutil: read_kt /var/ftp/pub/krb5.keytab.client
- ktutil: l
- slot KVNO Principal
- ---- ---- ---------------------------------------------------------------------
- 1 2 host/desktop3.example.com@EXAMPLE.COM
- 2 2 host/desktop3.example.com@EXAMPLE.COM
- 3 2 host/desktop3.example.com@EXAMPLE.COM
- 4 2 host/desktop3.example.com@EXAMPLE.COM
- 5 2 host/desktop3.example.com@EXAMPLE.COM
- 6 2 host/desktop3.example.com@EXAMPLE.COM
- ktutil: q
- [root@instructor etc]# kinit root/admin
- Password for root/admin@EXAMPLE.COM:
- [root@instructor etc]# kadmin.local
- Authenticating as principal root/admin@EXAMPLE.COM with password.
- kadmin.local: ktadd host/server3.example.com
- Entry for principal host/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal host/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
- kadmin.local: ktadd nfs/server3.example.com
- Entry for principal nfs/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal nfs/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal nfs/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal nfs/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal nfs/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
- Entry for principal nfs/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
- kadmin.local: q
- [root@instructor etc]# cp krb5.keytab /var/ftp/pub/krb5.keytab.server
- [root@instructor etc]# ktutil
- ktutil: read_kt /var/ftp/pub/krb5.keytab.server
- ktutil: l
- slot KVNO Principal
- ---- ---- ---------------------------------------------------------------------
- 1 2 host/desktop3.example.com@EXAMPLE.COM
- 2 2 host/desktop3.example.com@EXAMPLE.COM
- 3 2 host/desktop3.example.com@EXAMPLE.COM
- 4 2 host/desktop3.example.com@EXAMPLE.COM
- 5 2 host/desktop3.example.com@EXAMPLE.COM
- 6 2 host/desktop3.example.com@EXAMPLE.COM
- 7 2 host/server3.example.com@EXAMPLE.COM
- 8 2 host/server3.example.com@EXAMPLE.COM
- 9 2 host/server3.example.com@EXAMPLE.COM
- 10 2 host/server3.example.com@EXAMPLE.COM
- 11 2 host/server3.example.com@EXAMPLE.COM
- 12 2 host/server3.example.com@EXAMPLE.COM
- 13 2 nfs/server3.example.com@EXAMPLE.COM
- 14 2 nfs/server3.example.com@EXAMPLE.COM
- 15 2 nfs/server3.example.com@EXAMPLE.COM
- 16 2 nfs/server3.example.com@EXAMPLE.COM
- 17 2 nfs/server3.example.com@EXAMPLE.COM
- 18 2 nfs/server3.example.com@EXAMPLE.COM
- ktutil:
- [root@instructor pub]# chmod 644 krb5.keytab.*
在DESKTOP操作:- [root@desktop3 yum.repos.d]# wget -O /etc/krb5.keytab http://instructor.example.com/pub/krb5.keytab.client
- --2020-02-21 22:17:56-- http://instructor.example.com/pub/krb5.keytab.client
- Resolving instructor.example.com (instructor.example.com)... 192.168.0.254
- Connecting to instructor.example.com (instructor.example.com)|192.168.0.254|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 466 [text/plain]
- Saving to: ‘/etc/krb5.keytab’
- 100%[=================================================================>] 466 --.-K/s in 0s
- 2020-02-21 22:17:56 (44.5 MB/s) - ‘/etc/krb5.keytab’ saved [466/466]
- [root@desktop3 yum.repos.d]# systemctl status nfs-secure
- ● rpc-gssd.service - RPC security service for NFS client and server
- Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
- Active: inactive (dead)
- Condition: start condition failed at Sat 2020-02-22 03:54:00 CST; 5h 35min left
- [root@desktop3 yum.repos.d]# systemctl enable nfs-secure
- [root@desktop3 yum.repos.d]# systemctl restart nfs-secure
- [root@desktop3 yum.repos.d]# systemctl status nfs-secure
- ● rpc-gssd.service - RPC security service for NFS client and server
- Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
- Active: active (running) since Fri 2020-02-21 22:38:59 CST; 5s ago
- Process: 68839 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
- Main PID: 68840 (rpc.gssd)
- Tasks: 1
- CGroup: /system.slice/rpc-gssd.service
- └─68840 /usr/sbin/rpc.gssd
- Feb 21 22:38:59 desktop3.example.com systemd[1]: Starting RPC security service for NFS client and server...
- Feb 21 22:38:59 desktop3.example.com systemd[1]: Started RPC security service for NFS client and server.
- Hint: Some lines were ellipsized, use -l to show in full.
- [root@desktop3 yum.repos.d]#
SERVER上操作:如果是RedHat Enterprise Linux 7.0 (RH299)还要enable和restart nfs-secure-server !!!!!!
- [root@server3 ~]# wget -O /etc/krb5.keytab http://instructor.example.com/pub/krb5.keytab.server
- --2020-02-21 22:17:20-- http://instructor.example.com/pub/krb5.keytab.server
- Resolving instructor.example.com (instructor.example.com)... 192.168.0.254
- Connecting to instructor.example.com (instructor.example.com)|192.168.0.254|:80... connected.
- HTTP request sent, awaiting response... 200 OK
- Length: 1376 (1.3K) [text/plain]
- Saving to: ‘/etc/krb5.keytab’
- 100%[======================================>] 1,376 --.-K/s in 0s
- 2020-02-21 22:17:20 (152 MB/s) - ‘/etc/krb5.keytab’ saved [1376/1376]
- [root@server3 ~]# systemctl status nfs-secure
- ● rpc-gssd.service - RPC security service for NFS client and server
- Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
- Active: inactive (dead)
- Condition: start condition failed at Sat 2020-02-22 03:54:34 CST; 5h 36min left
- [root@server3 ~]# systemctl enable nfs-secure
- [root@server3 ~]# systemctl enable nfs-secure-server
- Failed to execute operation: No such file or directory
- [root@server3 ~]# cat /etc/redhat-release
- Red Hat Enterprise Linux Server release 7.6 (Maipo)
- [root@server3 ~]# systemctl restart nfs-secure
- [root@server3 ~]# systemctl status nfs-secure
- ● rpc-gssd.service - RPC security service for NFS client and server
- Loaded: loaded (/usr/lib/systemd/system/rpc-gssd.service; static; vendor preset: disabled)
- Active: active (running) since Fri 2020-02-21 22:20:19 CST; 5s ago
- Process: 59132 ExecStart=/usr/sbin/rpc.gssd $GSSDARGS (code=exited, status=0/SUCCESS)
- Main PID: 59133 (rpc.gssd)
- Tasks: 1
- CGroup: /system.slice/rpc-gssd.service
- └─59133 /usr/sbin/rpc.gssd
- Feb 21 22:20:18 server3.example.com systemd[1]: Starting RPC security servic....
- Feb 21 22:20:19 server3.example.com systemd[1]: Started RPC security service....
- Hint: Some lines were ellipsized, use -l to show in full.
nfs-secure(nfs-secure-server)类似于RHEL8的nfs-idmapd -----------有并且只有这些进程是跟krb5.keytab有关的。
|
|
发表于 2020-2-21 19:57:15
