课程第33次
首先请把Instructor虚拟机初始化一下:/root/bin/gls-setup-tls-ca --reverse
/root/bin/gls-setup-tls-ca
/root/bin/gls-setup-ldap --reverse
/root/bin/gls-setup-ldap
/root/bin/gls-setup-krb5 --reverse
/root/bin/gls-setup-krb5
用Instructor虚拟机直接实现kerberos化的NFS(不用IPAserver,见课程第20次):
在Instructor(三台时间要同步ntpdate -b):
# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:?
Available kadmin.local requests:
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
change_password, cpw Change password
get_principal, getprincGet principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
kadmin.local:list_principals
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldapuser10@EXAMPLE.COM
ldapuser11@EXAMPLE.COM
ldapuser12@EXAMPLE.COM
ldapuser13@EXAMPLE.COM
ldapuser14@EXAMPLE.COM
ldapuser15@EXAMPLE.COM
ldapuser16@EXAMPLE.COM
ldapuser17@EXAMPLE.COM
ldapuser18@EXAMPLE.COM
ldapuser19@EXAMPLE.COM
ldapuser1@EXAMPLE.COM
ldapuser20@EXAMPLE.COM
ldapuser2@EXAMPLE.COM
ldapuser3@EXAMPLE.COM
ldapuser4@EXAMPLE.COM
ldapuser5@EXAMPLE.COM
ldapuser6@EXAMPLE.COM
ldapuser7@EXAMPLE.COM
ldapuser8@EXAMPLE.COM
ldapuser9@EXAMPLE.COM
kadmin.local:
添加主机和NFS主机principals:
kadmin.local:addprincroot/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local:addprinc -randkey host/instructor.example.com
WARNING: no policy specified for host/instructor.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/instructor.example.com@EXAMPLE.COM" created.
kadmin.local:addprinc -randkey host/desktop3.example.com
WARNING: no policy specified for host/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/desktop3.example.com@EXAMPLE.COM" created.
kadmin.local:addprinc -randkey host/server3.example.com
WARNING: no policy specified for host/server3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/server3.example.com@EXAMPLE.COM" created.
kadmin.local:addprinc -randkey nfs/desktop3.example.com
WARNING: no policy specified for nfs/desktop3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/desktop3.example.com@EXAMPLE.COM" created.
kadmin.local:addprinc -randkey nfs/server3.example.com
WARNING: no policy specified for nfs/server3.example.com@EXAMPLE.COM; defaulting to no policy
Principal "nfs/server3.example.com@EXAMPLE.COM" created.
kadmin.local:list_principals
K/M@EXAMPLE.COM
host/desktop3.example.com@EXAMPLE.COM
host/instructor.example.com@EXAMPLE.COM
host/server3.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldapuser10@EXAMPLE.COM
ldapuser11@EXAMPLE.COM
ldapuser12@EXAMPLE.COM
ldapuser13@EXAMPLE.COM
ldapuser14@EXAMPLE.COM
ldapuser15@EXAMPLE.COM
ldapuser16@EXAMPLE.COM
ldapuser17@EXAMPLE.COM
ldapuser18@EXAMPLE.COM
ldapuser19@EXAMPLE.COM
ldapuser1@EXAMPLE.COM
ldapuser20@EXAMPLE.COM
ldapuser2@EXAMPLE.COM
ldapuser3@EXAMPLE.COM
ldapuser4@EXAMPLE.COM
ldapuser5@EXAMPLE.COM
ldapuser6@EXAMPLE.COM
ldapuser7@EXAMPLE.COM
ldapuser8@EXAMPLE.COM
ldapuser9@EXAMPLE.COM
nfs/desktop3.example.com@EXAMPLE.COM
nfs/server3.example.com@EXAMPLE.COM
root/admin@EXAMPLE.COM
kadmin.local:
删除旧的krb5.keytab:
# cd /etc/
# ls -l krb5.*
-rw-r--r--. 1 root root 449 Feb 182010 krb5.conf
-rw-r--r--. 1 root root 453 Oct22010 krb5.conf-gls
-rw-------. 1 root root 131 May 26 08:34 krb5.keytab
# rm -rf krb5.keytab
#
分别生成客户端的keytab和服务器端的keytab:
# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:ktadd host/desktop4.example.com
kadmin.local: Principal host/desktop4.example.com does not exist.
kadmin.local:list_principals
K/M@EXAMPLE.COM
host/desktop3.example.com@EXAMPLE.COM
host/instructor.example.com@EXAMPLE.COM
host/server3.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/instructor.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
ldapuser10@EXAMPLE.COM
ldapuser11@EXAMPLE.COM
ldapuser12@EXAMPLE.COM
ldapuser13@EXAMPLE.COM
ldapuser14@EXAMPLE.COM
ldapuser15@EXAMPLE.COM
ldapuser16@EXAMPLE.COM
ldapuser17@EXAMPLE.COM
ldapuser18@EXAMPLE.COM
ldapuser19@EXAMPLE.COM
ldapuser1@EXAMPLE.COM
ldapuser20@EXAMPLE.COM
ldapuser2@EXAMPLE.COM
ldapuser3@EXAMPLE.COM
ldapuser4@EXAMPLE.COM
ldapuser5@EXAMPLE.COM
ldapuser6@EXAMPLE.COM
ldapuser7@EXAMPLE.COM
ldapuser8@EXAMPLE.COM
ldapuser9@EXAMPLE.COM
nfs/desktop3.example.com@EXAMPLE.COM
nfs/server3.example.com@EXAMPLE.COM
root/admin@EXAMPLE.COM
kadmin.local:ktadd host/desktop3.example.com
Entry for principal host/desktop3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/desktop3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:quit
# ls
# stat krb5.keytab
File: `krb5.keytab'
Size: 466 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 949 Links: 1
Access: (0600/-rw-------)Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-06-29 15:50:09.895532024 +0800
Modify: 2019-06-29 15:50:09.895532024 +0800
Change: 2019-06-29 15:50:09.895532024 +0800
# date
Sat Jun 29 15:50:32 CST 2019
# cp krb5.keytabkrb5.keytab.client
# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:ktadd host/server3.example.com
Entry for principal host/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:ktadd nfs/server3.example.com
Entry for principal nfs/server3.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal nfs/server3.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:quit
# stat krb5.keytab
File: `krb5.keytab'
Size: 1376 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 949 Links: 1
Access: (0600/-rw-------)Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-06-29 15:53:04.105522237 +0800
Modify: 2019-06-29 15:53:04.105522237 +0800
Change: 2019-06-29 15:53:04.105522237 +0800
# date
Sat Jun 29 15:53:22 CST 2019
# cp krb5.keytab krb5.keytab.server
#
在Instructor虚拟机上,要打开service krb5kdc start
页:
[1]