码迷,mamicode.com
首页 > 其他好文 > 详细

NIS & Kerberos配置

时间:2015-09-24 09:29:24      阅读:358      评论:0      收藏:0      [点我收藏+]

标签:

NIS & Kerberos配置

所需RPM包列表:

         krb5-server-1.10.3-42.el6.x86_64.rpm

         krb5-workstation-1.10.3-42.el6.x86_64.rpm

         krb5-devel-1.10.3-42.el6.x86_64.rpm

         ypserv-2.19-26.el6_4.2.x86_64.rpm

         ypbind-1.20.4-31.el6.x86_64.rpm

         yp-tools-2.9-12.el6.x86_64.rpm

机器列表:

         192.168.217.111 bs001.zx.nicx.cn

     192.168.217.112 bs002.zx.nicx.cn

     192.168.217.113 bs003.zx.nicx.cn

     /etc/hosts 中需要进行以上配置,localhost需要带上

    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

    注:正文中以bs00x代表bs00x.zx.nicx.cn机器

服务角色分类

序号

IP

HOST

NIS

KDC

AppServer

Client

1

192.168.217.111

bs001.zx.nicx.cn

TRUE

   

TRUE

2

192.168.217.112

bs002.zx.nicx.cn

 

TRUE

 

TRUE

3

192.168.217.113

bs003.zx.nicx.cn

   

TRUE

TRUE

配置NIS服务

集群机器时间需要保持一致

bs001为NIS服务器,NIS域为ZX.NICX.CN

bs001上执行如下操作:

yum -y install ypserv

NIS依赖rpc协议,需要启动portmap服务

service portmap restart(前提:cp /etc/init.d/rpcbind /etc/init.d/portmap)

或者 /etc/init.d/rpcbind restart

并且将portmap服务设为开机启动

chkconfig portmap on

用rpcinfo -p localhost 查看是否启动成功和本机所有的rpc服务

也可以rpcinfo -p hostname(IP)查看对应主机的所有rpc服务

配置NIS domain

tail -n 1 /etc/sysconfig/network

NISDOMAIN=ZX.NICX.CN

配置nisdomainname临时生效命令

nisdomainname ZX.NICX.CN

可以用nisdomainname命令查看本机所属的domain

启动ypserv服务

并且设为开机启动

service ypserv restart

chkconfig ypserv on

创建NIS数据库,并且添加对应主机,如下:

[root@bs001 ~]# /usr/lib/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS

servers.  bs001.zx.nicx.cn is in the list of NIS server hosts.  Please continue to add

the names for the other hosts, one per line.  When you are done with the

list, type a <control D>.

         next host to add:  bs001.zx.nicx.cn

         next host to add: 

The current list of NIS servers looks like this:

bs001.zx.nicx.cn

Is this correct?  [y/n: y]  y

We need a few minutes to build the databases...

Building /var/yp/ZX.NICX.CN/ypservers...

Running /var/yp/Makefile...

gmake[1]: Entering directory `/var/yp/ZX.NICX.CN‘

Updating passwd.byname...

Updating passwd.byuid...

Updating group.byname...

Updating group.bygid...

Updating hosts.byname...

Updating hosts.byaddr...

Updating rpc.byname...

Updating rpc.bynumber...

Updating services.byname...

Updating services.byservicename...

Updating netid.byname...

Updating protocols.bynumber...

Updating protocols.byname...

Updating mail.aliases...

gmake[1]: Leaving directory `/var/yp/ZX.NICX.CN‘

bs001.zx.nicx.cn has been set up as a NIS master server.

Now you can run ypinit -s bs001.zx.nicx.cn on all slave server.

数据库的位置在/var/yp/ ZX.NICX.CN目录下

 

bs002上执行如下操作

yum -y yp-tools

启动ypbind服务

/etc/init.d/ypbind start

验证NIS服务器上的账户密码

ypcat  -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

[root@bs002 ~]# ypcat -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

baoshan:$1$x2LXJfgm$pyfEXYFxY9FkUfrfbNG6f0:500:500:baoshan:/home/baoshan:/bin/bash

当然也可以验证hosts、group等信息

 

bs001上执行如下操作:

例如建立一个账户zzh

useradd zzh

passwd zzh

[root@bs001 ~]# make -C /var/yp/    === cd /var/yp 然后 make

make: Entering directory `/var/yp‘

gmake[1]: Entering directory `/var/yp/ZX.NICX.CN‘

Updating passwd.byname...

Updating passwd.byuid...

Updating group.byname...

Updating group.bygid...

Updating netid.byname...

gmake[1]: Leaving directory `/var/yp/ZX.NICX.CN‘

make: Leaving directory `/var/yp‘

 

bs002上执行如下操作:

ypcat  -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

[root@bs002 ~]# ypcat  -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

zzh:$1$g8GlVSWY$rOFvRr0eHpQuQbdqXUCwH0:501:502::/home/zzh:/bin/bash

baoshan:$1$x2LXJfgm$pyfEXYFxY9FkUfrfbNG6f0:500:500:baoshan:/home/baoshan:/bin/bash

进行进一步简单化:

设置/etc/yp.conf

增加domain ZX.NICX.CN server bs001.zx.nicx.cn

[root@bs002 ~]# grep ^domain /etc/yp.conf

domain ZX.NICX.CN server bs001.zx.nicx.cn

执行/etc/init.d/ypbind restart

然后执行ycat passwd

[root@bs002 ~]# /etc/init.d/ypbind start

Starting NIS service:                                      [  OK  ]

Binding NIS service:                                  [  OK  ]

[root@bs002 ~]# ypcat passwd

zzh:$1$g8GlVSWY$rOFvRr0eHpQuQbdqXUCwH0:501:502::/home/zzh:/bin/bash

baoshan:$1$x2LXJfgm$pyfEXYFxY9FkUfrfbNG6f0:500:500:baoshan:/home/baoshan:/bin/bash

 

bs001上执行如下操作:

创建允许访问NIS服务器的主机列表,不出现在里面的不能访问NIS服务器。

cat /var/yp/securenets

先写掩码,再写IP或者网段,写法如下

255.255.255.255 192.168.217.111  只允许111机器访问NIS服务器

255.255.255.255 192.168.217.112  只允许112机器访问NIS服务器

255.255.255.255 192.168.217.113  只允许113机器访问NIS服务器

255.255.255.0 192.168.217.0  允许192.168.217.0网段的机器访问NIS服务器

重启生效 service ypserv restart

若/var/yp/securenets 不存在,则允许所有主机访问NIS服务器。

注:以上所有在bs002上执行的操作,均可以在bs001、bs002、bs003

配置Kerberos-KDC服务

集群机器时间需要保持一致

bs002上执行如下操作:

yum -y install krb5-server krb5-workstation

Kerberos配置文件1

cat /etc/krb5.conf

[libdefaults]

    default_realm = ZX.NICX.CN  #默认的领域

    dns_lookup_realm = false

    dns_lookup_kdc = false

    ticket_lifetime = 24h

    forwardable = yes

[realms]

    ZX.NICX.CN = {

          kdc = bs002.zx.nicx.cn:88 #Kerberos服务器

          admin_server = bs002.zx.nicx.cn:749  #管理主机

    }

[logging]

    default = FILE:/var/log/krb5libs.log

    kdc = FILE:/var/log/krb5kdc.log

    admin_server = FILE:/var/log/kadmind.log

[domain_realm]  #kerberos members

 bs002.zx.nicx.cn = ZX.NICX.CN

 bs003.zx.nicx.cn = ZX.NICX.CN

 .zx.nicx.cn = ZX.NICX.CN

[appdefaults]

 pam = {

    debug = false

    ticket_lifetime = 36000

    renew_lifetime = 36000

    forwardable = true

    krb4_convert = false

    validate = true  #add

 }

将/etc/krb5.conf传输到所有的客户端服务器。

scp /etc/krb5.conf bs001.zx.nicx.cn:/etc

scp /etc/krb5.conf bs003.zx.nicx.cn:/etc

Kerberos配置文件2

cat /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

 kdc_ports = 88

 kdc_tcp_ports = 88

 

[realms]

 EXAMPLE.COM = {

  master_key_type = aes256-cts

  default_principal_flags = +preauth  #add

  acl_file = /var/kerberos/krb5kdc/kadm5.acl

  dict_file = /usr/share/dict/words

  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

 }

Kerberos配置文件3

cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@ZX.NICX.CN    *   #管理员

生成Kerberos数据库

kdb5_util create -r ZX.NICX.CN -s

Loading random data

Initializing database ‘/var/kerberos/krb5kdc/principal‘ for realm ‘ZX.NICX.CN‘,

master key name ‘K/M@ZX.NICX.CN‘

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:

Re-enter KDC database master key to verify:

启动Kerberos服务

[root@bs002 krb5kdc]# service krb5kdc start

Starting Kerberos 5 KDC:                                   [  OK  ]

[root@bs002 krb5kdc]# service kadmin start

Starting Kerberos 5 Admin Server:                          [  OK  ]

端口分别为88和749

上述两个服务设置为开机启动。

chkconfig krb5kdc on

chkconfig kadmin on

之后执行kadmin.local命令进入Kerberos数据库

[root@bs002 ~]# kadmin.local

Authenticating as principal baoshan/admin@ZX.NICX.CN with password.

kadmin.local:  listprincs

K/M@ZX.NICX.CN

kadmin/admin@ZX.NICX.CN

kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/changepw@ZX.NICX.CN

krbtgt/ZX.NICX.CN@ZX.NICX.CN

kadmin.local: 

增加一个principle:

kadmin.local:  addprinc root/admin@ZX.NICX.CN

WARNING: no policy specified for root/admin@ZX.NICX.CN; defaulting to no policy

Enter password for principal "root/admin@ZX.NICX.CN":

Re-enter password for principal "root/admin@ZX.NICX.CN":

Principal "root/admin@ZX.NICX.CN" created.

之后listprincs

K/M@ZX.NICX.CN

kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/changepw@ZX.NICX.CN

krbtgt/ZX.NICX.CN@ZX.NICX.CN

root/admin@ZX.NICX.CN

注:删除账号命令delprinc root/admin@ZX.NICX.CN

 

bs003上执行如下操作:

kadmin -p root/admin

[root@bs002 ~]# kadmin -p root/admin

Authenticating as principal root/admin with password.

Password for root/admin@ZX.NICX.CN:

kadmin:  listprincs

K/M@ZX.NICX.CN

kadmin/admin@ZX.NICX.CN

kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/changepw@ZX.NICX.CN

krbtgt/ZX.NICX.CN@ZX.NICX.CN

root/admin@ZX.NICX.CN

配置Kerberos-AppServer服务

凡是通过Kerberos验证的都叫AppServer

ftp server ftp/hostname@BS001.ZX.NICX.CN

sshd host/hostname@BS001.ZX.NICX.CN

telnet host/hostname@BS001.ZX.NICX.CN

nfs nfs/hostname@BS001.ZX.NICX.CN

 

bs002上执行如下操作:

服务principle没有密码,用randkey,将密码写入到/etc/krb5.keytab文件中

kadmin.local:  addprinc -randkey host/bs002.zx.nicx.cn@ZX.NICX.CN

WARNING: no policy specified for host/bs002.zx.nicx.cn@ZX.NICX.CN; defaulting to no policy

Principal "host/bs002.zx.nicx.cn@ZX.NICX.CN" created.

kadmin.local:  listprincs

K/M@ZX.NICX.CN

host/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/admin@ZX.NICX.CN

kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/changepw@ZX.NICX.CN

krbtgt/ZX.NICX.CN@ZX.NICX.CN

root/admin@ZX.NICX.CN

kadmin.local:  ktadd -k /etc/krb5.keytab host/bs002.zx.nicx.cn@ZX.NICX.CN

Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

kadmin.local:  addprinc zzh@ZX.NICX.CN

WARNING: no policy specified for zzh@ZX.NICX.CN; defaulting to no policy

Enter password for principal "zzh@ZX.NICX.CN":

Re-enter password for principal "zzh@ZX.NICX.CN":

Principal "zzh@ZX.NICX.CN" created.

kadmin.local:  quit

[root@bs002 ~]# restorecon /etc/krb5.keytab

[root@bs002 ~]# ls -Zl /etc/krb5.keytab

-rw-------. 1 unconfined_u:object_r:krb5_keytab_t:s0 root root 436 Sep 23 07:05 /etc/krb5.keytab

 

bs003上执行如下操作:

[root@bs003 ~]# kadmin -p root/admin

Authenticating as principal root/admin with password.

Password for root/admin@ZX.NICX.CN:

kadmin:  listprincs

K/M@ZX.NICX.CN

host/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/admin@ZX.NICX.CN

kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/changepw@ZX.NICX.CN

krbtgt/ZX.NICX.CN@ZX.NICX.CN

root/admin@ZX.NICX.CN

zzh@ZX.NICX.CN

kadmin:  addprinc -randkey host/bs003.zx.nicx.cn@ZX.NICX.CN

WARNING: no policy specified for host/bs003.zx.nicx.cn@ZX.NICX.CN; defaulting to no policy

Principal "host/bs003.zx.nicx.cn@ZX.NICX.CN" created.

kadmin:  listprincs

K/M@ZX.NICX.CN

host/bs002.zx.nicx.cn@ZX.NICX.CN

host/bs003.zx.nicx.cn@ZX.NICX.CN

kadmin/admin@ZX.NICX.CN

kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

kadmin/changepw@ZX.NICX.CN

krbtgt/ZX.NICX.CN@ZX.NICX.CN

root/admin@ZX.NICX.CN

zzh@ZX.NICX.CN

kadmin:  ktadd -k /etc/krb5.keytab host/bs003.zx.nicx.cn@ZX.NICX.CN

Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

kadmin:  quit

 

启动bs001和bs002上的sshd服务

 

bs003上执行如下操作:

[root@bs003 ~]# kinit zzh

Password for zzh@ZX.NICX.CN:

[root@bs003 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: zzh@ZX.NICX.CN

 

Valid starting     Expires            Service principal

09/23/15 07:12:54  09/24/15 07:12:52  krbtgt/ZX.NICX.CN@ZX.NICX.CN

 

使用zzh账户登录bs002.zx.nicx.cn机器,不用输入密码

[root@bs003 ~]# ssh zzh@bs002.zx.nicx.cn

Could not chdir to home directory /home/zzh: No such file or directory

-bash-4.1$ hostname

bs002.zx.nicx.cn

 

将key毁掉,然后用zzh重新连接bs002.zx.nicx.cn

[root@bs003 ~]# kdestroy

[root@bs003 ~]# klist

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

[root@bs003 ~]# ssh zzh@bs002.zx.nicx.cn

zzh@bs002.zx.nicx.cn‘s password: 此处需要输入密码

 

配置一下ssh服务器,实现互相登录不用输入密码。

bs003.zx.nicx.cn

man ssh_config

vim /etc/ssh/ssh_config

增加 GSSAPIDelegateCredentials yes

 

注:上述中在bs003上的操作,可以完全部署在bs001机器上。

附录:

Krb5.conf配置

KDC服务端和客户端需要配置一致。

cat /etc/krb5.conf

[libdefaults]

    default_realm = ZX.NICX.CN

    dns_lookup_realm = false

    dns_lookup_kdc = false

    ticket_lifetime = 24h

    forwardable = yes

[realms]

    ZX.NICX.CN = {

          kdc = bs002.zx.nicx.cn:88

          admin_server = bs002.zx.nicx.cn:749

    }

[logging]

    default = FILE:/var/log/krb5libs.log

    kdc = FILE:/var/log/krb5kdc.log

    admin_server = FILE:/var/log/kadmind.log

[domain_realm]

 bs002.zx.nicx.cn = ZX.NICX.CN

 bs003.zx.nicx.cn = ZX.NICX.CN

 .zx.nicx.cn = BS001.ZX.NICX.CN

[appdefaults]

 pam = {

    debug = false

    ticket_lifetime = 36000

    renew_lifetime = 36000

    forwardable = true

    krb4_convert = false

    validate = true

 }

kdc.conf配置

KDC服务端配置

cat /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

 kdc_ports = 88

 kdc_tcp_ports = 88

[realms]

 EXAMPLE.COM = {

  master_key_type = aes256-cts

  default_principal_flags = +preauth

  acl_file = /var/kerberos/krb5kdc/kadm5.acl

  dict_file = /usr/share/dict/words

  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

 }

Kadm5.acl

KDC服务端配置

cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@ZX.NICX.CN    *

NIS & Kerberos配置

标签:

原文地址:http://www.cnblogs.com/zhzhang/p/4834213.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!