yum install krb5-server krb5-libs krb5-workstation -y
--下载jce并解压
--jce下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
unzip -o -j -q /app/data/jce_policy-8.zip -d /usr/lib/jvm/zulu-8/jre/lib/security
--修改主配置krb5.conf文件
[root@test01 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = SINOSIGTEST.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SINOSIGTEST.COM = {
kdc = test01
admin_server = test01
}
[domain_realm]
.sinosigtest.com = SINOSIGTEST.COM
sinosigtest.com = SINOSIGTEST.COM
--编辑Kdc文件
[root@test01 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SINOSIGTEST.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
--给管理员账户添加acl权限
[root@test01 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@SINOSIGTEST.COM *
--创建kerberos数据库
[root@test01 ~]# kdb5_util create -s -r SINOSIGTEST.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SINOSIGTEST.COM',
master key name 'K/M@SINOSIGTEST.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
--创建管理员
[root@test01 ~]# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@SINOSIGTEST.COM with password.
WARNING: no policy specified for admin/admin@SINOSIGTEST.COM; defaulting to no policy
Enter password for principal "admin/admin@SINOSIGTEST.COM":
Re-enter password for principal "admin/admin@SINOSIGTEST.COM":
add_principal: Password mismatch while reading password for "admin/admin@SINOSIGTEST.COM".
[root@test01 ~]# kadmin.local
Authenticating as principal root/admin@SINOSIGTEST.COM with password.
kadmin.local:
--启动服务和设置开机自启
[root@manager ~]# systemctl start krb5kdc
[root@manager ~]# systemctl start kadmin
[root@manager ~]# systemctl enable krb5kdc
[root@manager ~]# systemctl enable kadmin
客户端
yum install -y krb5-libs krb5-workstation
--下载jce并解压
--jce下载地址: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
unzip -o -j -q jce_policy-8.zip -d /usr/lib/jvm/zulu-8/jre/lib/security
--修改主配置krb5.conf文件
[root@test01 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = SINOSIGTEST.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SINOSIGTEST.COM = {
kdc = test01
admin_server = test01
}
[domain_realm]
.sinosigtest.com = SINOSIGTEST.COM
sinosigtest.com = SINOSIGTEST.COM
Ambari上添加kerberos
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)