标签:deb admin list rds 多文件 端口号 tab 远程 ati
#yum install krb5-serverkrb5-libs krb5-workstationpam_krb5 -y
#vim /etc/hosts
|
10.22.225.212 gamekerberos.opi.com kerberos1 10.30.33.60 gamekerberos2.opi.com kerberos2 |
#vim /etc/krb5.conf
|
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/data/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = GAME.OPI.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[realms] GAME.OPI.COM = { kdc = gamekerberos.opi.com:88 kdc = gamekerberos2.opi.com:88 admin_server = gamekerberos.opi.com:749 default_domain = opi.com }
[domain_realm] .opi.com = GAME.OPI.COM opi.com = GAME.OPI.COM
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 24h forwardable = true krb4_convert = false } |
#vim /var/kerberos/krb5kdc/kdc.conf
|
[kdcdefaults] v4_mode = none #kdc_tcp_ports = 88
[realms] GAME.OPI.COM = { master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #max_life = 7d max_renewable_life = 7d supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } |
#kdb5_util create -r GAME.OPI.COM –s
将在/var/kerberos/krb5kdc/下生成很多文件
文件解释,kadmin.acl为kadmin允许用户列表,kdc.conf为加密方式
#kadmin.local
#kadmin.local: add_policy -maxlife 360days -minlife 3days -minlength 8 -minclasses 3-history 3 default
#密码有效期90天;最少使用3天;密码最小长度为8个字符,这些字符必须来自5个可用类型中3个不同的类型:小写字母、大写字母、数字、标点符号和其他;不能修改为最近3次的密码。
#kadmin.local: addprincadmin/admin
查看指定帐户信息
#kadmin.local: getprincadmin/admin
查看所有帐户信息
#kadmin.local: listprincs
#vim /var/kerberos/krb5kdc/kadm5.acl
|
*/admin@GAME.OPI.COM * admin/admin@GAME.OPI.COM * |
#kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
#service krb5kdc start
#service kadmin restart
#kinit admin/admin
#yum install krb5-server krb5-libs krb5-workstation pam_krb5 -y
#scp /etc/krb5.conf kerberos2:/etc/
#cd /var/kerberos/krb5kdc/
#scp kdc.conf kadm5.acl .k5.GAME.OPI.COM kerberos2:/var/kerberos/krb5kdc/
在master服务器上
kadmin: addprinc -randkey host/gamekerberos.opi.com
#添加principal
kadmin:ktadd–k /etc/krb5.keytab host/gamekerberos.opi.com
#生成keytab文件
在slave服务器上
kadmin: addprinc -randkey host/gamekerberos2.opi.com
#添加principal
kadmin:ktadd–k /etc/krb5.keytab host/gamekerberos2.opi.com
#生成keytab文件
#vim /var/kerberos/krb5kdc/kpropd.acl
|
host/gamekerberos.opi.com@GAME.OPI.COM host/gamekerberos2.opi.com@GAME.OPI.COM |
#kpropd –S
查看端口号和进程,如果有就说明kpropd服务器已经启动
#netstat -nalp|grep 754
#ps aux|grep kpropd
至此,slave上的KDC服务还不能启动,因为无KDC的database数据
#kdb5_util dump /var/kerberos/krb5kdc/slave_data
#kprop -f /var/kerberos/krb5kdc/slave_data gamekerberos2.opi.com
成功后,会出现以下信息:
Database propagation to gamekerberos2.opi.com: SUCCEEDED
|
from_master principal principal.ok pricipal.kadm5 principal.kadmin5.lock |
#tail -f/var/log/krb5kdc.log
|
#!/bin/sh kdclist = "gamekerberos2.opi.comgamekerberos3.opi.com " kdb5_util dump /var/kerberos/krb5kdc/slave_date for kdc in $kdclist do kprop -f /var/kerberos/krb5kdc/slave_data $kdc done |
|
#88 kerberos #749 admin_server #754 kpropd #646 kpasswd |
#vim /etc/sysconfig/iptables
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 749 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 754 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport646 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 749 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 754 -j ACCEPT |
#service iptables restart
标签:deb admin list rds 多文件 端口号 tab 远程 ati
原文地址:http://www.cnblogs.com/zadaye/p/6758192.html
