课程第33次

botang

首先请把Instructor虚拟机初始化一下：
/root/bin/gls-setup-tls-ca --reverse  
/root/bin/gls-setup-tls-ca
/root/bin/gls-setup-ldap --reverse  
/root/bin/gls-setup-ldap
/root/bin/gls-setup-krb5 --reverse  
/root/bin/gls-setup-krb5
用Instructor虚拟机直接实现kerberos化的NFS(不用IPAserver，见课程第20次)：
在Instructor（三台时间要同步ntpdate -b）：

1. [root@instructor bin]# kadmin.local
   
2. Authenticating as principal root/admin@EXAMPLE.COM with password.
   
3. kadmin.local:  ?
   
4. Available kadmin.local requests:
   
5. 
   
6. add_principal, addprinc, ank
   
7.                          Add principal
   
8. delete_principal, delprinc
   
9.                          Delete principal
   
10. modify_principal, modprinc
    
11.                          Modify principal
    
12. change_password, cpw     Change password
    
13. get_principal, getprinc  Get principal
    
14. list_principals, listprincs, get_principals, getprincs
    
15.                          List principals
    
16. add_policy, addpol       Add policy
    
17. modify_policy, modpol    Modify policy
    
18. delete_policy, delpol    Delete policy
    
19. get_policy, getpol       Get policy
    
20. list_policies, listpols, get_policies, getpols
    
21.                          List policies
    
22. get_privs, getprivs      Get privileges
    
23. ktadd, xst               Add entry(s) to a keytab
    
24. ktremove, ktrem          Remove entry(s) from a keytab
    
25. lock                     Lock database exclusively (use with extreme caution!)
    
26. unlock                   Release exclusive database lock
    
27. kadmin.local:  list_principals
    
28. K/M@EXAMPLE.COM
    
29. kadmin/admin@EXAMPLE.COM
    
30. kadmin/changepw@EXAMPLE.COM
    
31. kadmin/instructor.example.com@EXAMPLE.COM
    
32. krbtgt/EXAMPLE.COM@EXAMPLE.COM
    
33. ldapuser10@EXAMPLE.COM
    
34. ldapuser11@EXAMPLE.COM
    
35. ldapuser12@EXAMPLE.COM
    
36. ldapuser13@EXAMPLE.COM
    
37. ldapuser14@EXAMPLE.COM
    
38. ldapuser15@EXAMPLE.COM
    
39. ldapuser16@EXAMPLE.COM
    
40. ldapuser17@EXAMPLE.COM
    
41. ldapuser18@EXAMPLE.COM
    
42. ldapuser19@EXAMPLE.COM
    
43. ldapuser1@EXAMPLE.COM
    
44. ldapuser20@EXAMPLE.COM
    
45. ldapuser2@EXAMPLE.COM
    
46. ldapuser3@EXAMPLE.COM
    
47. ldapuser4@EXAMPLE.COM
    
48. ldapuser5@EXAMPLE.COM
    
49. ldapuser6@EXAMPLE.COM
    
50. ldapuser7@EXAMPLE.COM
    
51. ldapuser8@EXAMPLE.COM
    
52. ldapuser9@EXAMPLE.COM
    
53. kadmin.local:
    

复制代码

添加主机和NFS主机principals:

1. kadmin.local:  addprinc  root/admin
   
2. WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
   
3. Enter password for principal "root/admin@EXAMPLE.COM":
   
4. Re-enter password for principal "root/admin@EXAMPLE.COM":
   
5. Principal "root/admin@EXAMPLE.COM" created.
   
6. kadmin.local:  addprinc -randkey host/instructor.example.com
   
7. WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
   
8. Principal "host/instructor.example.com@EXAMPLE.COM" created.
   
9. kadmin.local:  addprinc -randkey host/desktop3.example.com
   
10. WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
    
11. Principal "host/desktop3.example.com@EXAMPLE.COM" created.
    
12. kadmin.local:  addprinc -randkey host/server3.example.com
    
13. WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaulting to no policy
    
14. Principal "host/server3.example.com@EXAMPLE.COM" created.
    
15. kadmin.local:  addprinc -randkey nfs/desktop3.example.com
    
16. WARNING: no policy specified for nfs/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
    
17. Principal "nfs/desktop3.example.com@EXAMPLE.COM" created.
    
18. kadmin.local:  addprinc -randkey nfs/server3.example.com
    
19. WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
    
20. Principal "nfs/server3.example.com@EXAMPLE.COM" created.
    
21. kadmin.local:  list_principals
    
22. K/M@EXAMPLE.COM
    
23. host/desktop3.example.com@EXAMPLE.COM
    
24. host/instructor.example.com@EXAMPLE.COM
    
25. host/server3.example.com@EXAMPLE.COM
    
26. kadmin/admin@EXAMPLE.COM
    
27. kadmin/changepw@EXAMPLE.COM
    
28. kadmin/instructor.example.com@EXAMPLE.COM
    
29. krbtgt/EXAMPLE.COM@EXAMPLE.COM
    
30. ldapuser10@EXAMPLE.COM
    
31. ldapuser11@EXAMPLE.COM
    
32. ldapuser12@EXAMPLE.COM
    
33. ldapuser13@EXAMPLE.COM
    
34. ldapuser14@EXAMPLE.COM
    
35. ldapuser15@EXAMPLE.COM
    
36. ldapuser16@EXAMPLE.COM
    
37. ldapuser17@EXAMPLE.COM
    
38. ldapuser18@EXAMPLE.COM
    
39. ldapuser19@EXAMPLE.COM
    
40. ldapuser1@EXAMPLE.COM
    
41. ldapuser20@EXAMPLE.COM
    
42. ldapuser2@EXAMPLE.COM
    
43. ldapuser3@EXAMPLE.COM
    
44. ldapuser4@EXAMPLE.COM
    
45. ldapuser5@EXAMPLE.COM
    
46. ldapuser6@EXAMPLE.COM
    
47. ldapuser7@EXAMPLE.COM
    
48. ldapuser8@EXAMPLE.COM
    
49. ldapuser9@EXAMPLE.COM
    
50. nfs/desktop3.example.com@EXAMPLE.COM
    
51. nfs/server3.example.com@EXAMPLE.COM
    
52. root/admin@EXAMPLE.COM
    
53. kadmin.local:
    

复制代码

删除旧的krb5.keytab:

1. [root@instructor bin]# cd /etc/
   
2. [root@instructor etc]# ls -l krb5.*
   
3. -rw-r--r--. 1 root root 449 Feb 18  2010 krb5.conf
   
4. -rw-r--r--. 1 root root 453 Oct  2  2010 krb5.conf-gls
   
5. -rw-------. 1 root root 131 May 26 08:34 krb5.keytab
   
6. [root@instructor etc]# rm -rf krb5.keytab
   
7. [root@instructor etc]#
   

复制代码

分别生成客户端的keytab和服务器端的keytab：

1. [root@instructor etc]# kadmin.local
   
2. Authenticating as principal root/admin@EXAMPLE.COM with password.
   
3. kadmin.local:  ktadd host/desktop4.example.com
   
4. kadmin.local: Principal host/desktop4.example.com does not exist.
   
5. kadmin.local:  list_principals
   
6. K/M@EXAMPLE.COM
   
7. host/desktop3.example.com@EXAMPLE.COM
   
8. host/instructor.example.com@EXAMPLE.COM
   
9. host/server3.example.com@EXAMPLE.COM
   
10. kadmin/admin@EXAMPLE.COM
    
11. kadmin/changepw@EXAMPLE.COM
    
12. kadmin/instructor.example.com@EXAMPLE.COM
    
13. krbtgt/EXAMPLE.COM@EXAMPLE.COM
    
14. ldapuser10@EXAMPLE.COM
    
15. ldapuser11@EXAMPLE.COM
    
16. ldapuser12@EXAMPLE.COM
    
17. ldapuser13@EXAMPLE.COM
    
18. ldapuser14@EXAMPLE.COM
    
19. ldapuser15@EXAMPLE.COM
    
20. ldapuser16@EXAMPLE.COM
    
21. ldapuser17@EXAMPLE.COM
    
22. ldapuser18@EXAMPLE.COM
    
23. ldapuser19@EXAMPLE.COM
    
24. ldapuser1@EXAMPLE.COM
    
25. ldapuser20@EXAMPLE.COM
    
26. ldapuser2@EXAMPLE.COM
    
27. ldapuser3@EXAMPLE.COM
    
28. ldapuser4@EXAMPLE.COM
    
29. ldapuser5@EXAMPLE.COM
    
30. ldapuser6@EXAMPLE.COM
    
31. ldapuser7@EXAMPLE.COM
    
32. ldapuser8@EXAMPLE.COM
    
33. ldapuser9@EXAMPLE.COM
    
34. nfs/desktop3.example.com@EXAMPLE.COM
    
35. nfs/server3.example.com@EXAMPLE.COM
    
36. root/admin@EXAMPLE.COM
    
37. kadmin.local:  ktadd host/desktop3.example.com
    
38. Entry for principal host/desktop3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
    
39. Entry for principal host/desktop3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
    
40. Entry for principal host/desktop3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
    
41. Entry for principal host/desktop3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
    
42. Entry for principal host/desktop3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
    
43. Entry for principal host/desktop3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
    
44. kadmin.local:  quit
    
45. [root@instructor etc]# ls
    

复制代码

1. [root@instructor etc]# stat krb5.keytab
   
2.   File: `krb5.keytab'
   
3.   Size: 466             Blocks: 8          IO Block: 4096   regular file
   
4. Device: fd01h/64769d    Inode: 949         Links: 1
   
5. Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
   
6. Access: 2019-06-29 15:50:09.895532024 +0800
   
7. Modify: 2019-06-29 15:50:09.895532024 +0800
   
8. Change: 2019-06-29 15:50:09.895532024 +0800
   
9. [root@instructor etc]# date
   
10. Sat Jun 29 15:50:32 CST 2019
    
11. [root@instructor etc]# cp krb5.keytab  krb5.keytab.client
    

复制代码

1. [root@instructor etc]# kadmin.local
   
2. Authenticating as principal root/admin@EXAMPLE.COM with password.
   
3. kadmin.local:  ktadd host/server3.example.com
   
4. Entry for principal host/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
   
5. Entry for principal host/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
   
6. Entry for principal host/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
   
7. Entry for principal host/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
   
8. Entry for principal host/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
   
9. Entry for principal host/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
   
10. kadmin.local:  ktadd nfs/server3.example.com
    
11. Entry for principal nfs/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
    
12. Entry for principal nfs/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
    
13. Entry for principal nfs/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
    
14. Entry for principal nfs/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
    
15. Entry for principal nfs/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
    
16. Entry for principal nfs/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
    
17. kadmin.local:  quit
    
18. [root@instructor etc]# stat krb5.keytab
    
19.   File: `krb5.keytab'
    
20.   Size: 1376            Blocks: 8          IO Block: 4096   regular file
    
21. Device: fd01h/64769d    Inode: 949         Links: 1
    
22. Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
    
23. Access: 2019-06-29 15:53:04.105522237 +0800
    
24. Modify: 2019-06-29 15:53:04.105522237 +0800
    
25. Change: 2019-06-29 15:53:04.105522237 +0800
    
26. [root@instructor etc]# date
    
27. Sat Jun 29 15:53:22 CST 2019
    
28. [root@instructor etc]# cp krb5.keytab krb5.keytab.server
    
29. [root@instructor etc]#
    

复制代码

在Instructor虚拟机上，要打开service krb5kdc start