(一)yum方式安装
安装krb的server
步骤一:
yum install krb5-server
安装krb 的客户端
yum install krb5-workstation krb5-libs krb5-auth-dialog
(二)修改配置
修改三个配置文件
#第一个文件,修改[realms]里的kdc和admin_server所在主机,EXAMPLE.COM这个域名也应修改
vi /etc/krb5.conf
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = STARYEA.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
STARYEA.COM = {
admin_server = nn2:88
kdc = nn2:88
}
[domain_realm]
.staryea.com = STARYEA.COM
staryea.com = STARYEA.COM
vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
STARYEA.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
编辑 Kerberos 访问控制列表文件 (kadm5.acl) 文件应包含允许管理 KDC 的所有主体名称。
[root@nn2 Packages]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@STARYEA.COM *
(三)使用命令 创建 kerberos的database
kdb5_util create -s -r STARYEA.COM
重启服务
service krb5kdc restart
service kadmin start
(三) 创建 kerberos的管理员
#kadmin.local
kadmin.local: addprinc admin/admin@STARYEA.COM
WARNING: no policy specified for admin/admin@STARYEA.COM; defaulting to no policy
Enter password for principal "admin/admin@STARYEA.COM": admin123
Re-enter password for principal "admin/admin@STARYEA.COM": admin123
Principal "admin/admin@STARYEA.COM" created.
(四) 创建 kerberos的用户
#kadmin.local
addprinc -randkey it1/主机的全域名@STARYEA.COM
导出keytab
xst -k /home/it1/it1.app.keytab it1/主机的全域名@STARYEA.COM
一般使用400 权限给用户
chown it1.it1 /home/it1/it1.app.keytab
chmod 400 /home/it1/it1.app.keytab
(五)使用
su - it1
kinit -kt /home/it1/it1.app.keytab it1/主机的全域名@STARYEA.COM