• NIS & Kerberos配置


    NIS & Kerberos配置

    所需RPM包列表:

             krb5-server-1.10.3-42.el6.x86_64.rpm

             krb5-workstation-1.10.3-42.el6.x86_64.rpm

             krb5-devel-1.10.3-42.el6.x86_64.rpm

             ypserv-2.19-26.el6_4.2.x86_64.rpm

             ypbind-1.20.4-31.el6.x86_64.rpm

             yp-tools-2.9-12.el6.x86_64.rpm

    机器列表:

             192.168.217.111 bs001.zx.nicx.cn

         192.168.217.112 bs002.zx.nicx.cn

         192.168.217.113 bs003.zx.nicx.cn

         /etc/hosts 中需要进行以上配置,localhost需要带上

        127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

        ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

        注:正文中以bs00x代表bs00x.zx.nicx.cn机器

    服务角色分类

    序号

    IP

    HOST

    NIS

    KDC

    AppServer

    Client

    1

    192.168.217.111

    bs001.zx.nicx.cn

    TRUE

       

    TRUE

    2

    192.168.217.112

    bs002.zx.nicx.cn

     

    TRUE

     

    TRUE

    3

    192.168.217.113

    bs003.zx.nicx.cn

       

    TRUE

    TRUE

    配置NIS服务

    集群机器时间需要保持一致

    bs001为NIS服务器,NIS域为ZX.NICX.CN

    为了不必要的麻烦,nis域必须大写,小写的话我的kadmind进程启动失败,不知是不是巧合

    bs001上执行如下操作:

    yum -y install ypserv

    NIS依赖rpc协议,需要启动portmap服务

    service portmap restart(前提:cp /etc/init.d/rpcbind /etc/init.d/portmap)

    或者 /etc/init.d/rpcbind restart

    并且将portmap服务设为开机启动

    chkconfig portmap on

    用rpcinfo -p localhost 查看是否启动成功和本机所有的rpc服务

    也可以rpcinfo -p hostname(IP)查看对应主机的所有rpc服务

    (如果rpcinfo -p 查看其它主机的rpc服务失败,关闭防火墙)

    配置NIS domain

    tail -n 1 /etc/sysconfig/network

    NISDOMAIN=ZX.NICX.CN

    配置nisdomainname临时生效命令

    nisdomainname ZX.NICX.CN

    可以用nisdomainname命令查看本机所属的domain

    启动ypserv服务

    并且设为开机启动

    service ypserv restart

    chkconfig ypserv on

    创建NIS数据库,并且添加对应主机,如下:

    [root@bs001 ~]# /usr/lib/yp/ypinit -m

    At this point, we have to construct a list of the hosts which will run NIS

    servers.  bs001.zx.nicx.cn is in the list of NIS server hosts.  Please continue to add

    the names for the other hosts, one per line.  When you are done with the

    list, type a <control D>.

             next host to add:  bs001.zx.nicx.cn

             next host to add: 

    The current list of NIS servers looks like this:

    bs001.zx.nicx.cn

    Is this correct?  [y/n: y]  y

    We need a few minutes to build the databases...

    Building /var/yp/ZX.NICX.CN/ypservers...

    Running /var/yp/Makefile...

    gmake[1]: Entering directory `/var/yp/ZX.NICX.CN'

    Updating passwd.byname...

    Updating passwd.byuid...

    Updating group.byname...

    Updating group.bygid...

    Updating hosts.byname...

    Updating hosts.byaddr...

    Updating rpc.byname...

    Updating rpc.bynumber...

    Updating services.byname...

    Updating services.byservicename...

    Updating netid.byname...

    Updating protocols.bynumber...

    Updating protocols.byname...

    Updating mail.aliases...

    gmake[1]: Leaving directory `/var/yp/ZX.NICX.CN'

    bs001.zx.nicx.cn has been set up as a NIS master server.

    Now you can run ypinit -s bs001.zx.nicx.cn on all slave server.

    数据库的位置在/var/yp/ ZX.NICX.CN目录下

    bs002上执行如下操作

    yum -y yp-tools

    启动ypbind服务

    /etc/init.d/ypbind start

    验证NIS服务器上的账户密码

    ypcat  -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

    [root@bs002 ~]# ypcat -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

    baoshan:$1$x2LXJfgm$pyfEXYFxY9FkUfrfbNG6f0:500:500:baoshan:/home/baoshan:/bin/bash

    当然也可以验证hosts、group等信息

    bs001上执行如下操作:

    例如建立一个账户zzh

    useradd zzh

    passwd zzh

    [root@bs001 ~]# make -C /var/yp/    === cd /var/yp 然后 make

    make: Entering directory `/var/yp'

    gmake[1]: Entering directory `/var/yp/ZX.NICX.CN'

    Updating passwd.byname...

    Updating passwd.byuid...

    Updating group.byname...

    Updating group.bygid...

    Updating netid.byname...

    gmake[1]: Leaving directory `/var/yp/ZX.NICX.CN'

    make: Leaving directory `/var/yp'

    新建账户之后,务必重启ypserv服务【service ypserv restart】

    不然后续kerberos验证不通过

    bs002上执行如下操作:

    ypcat  -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

    [root@bs002 ~]# ypcat  -d ZX.NICX.CN -h bs001.zx.nicx.cn passwd

    zzh:$1$g8GlVSWY$rOFvRr0eHpQuQbdqXUCwH0:501:502::/home/zzh:/bin/bash

    baoshan:$1$x2LXJfgm$pyfEXYFxY9FkUfrfbNG6f0:500:500:baoshan:/home/baoshan:/bin/bash

    进行进一步简单化:

    设置/etc/yp.conf

    增加domain ZX.NICX.CN server bs001.zx.nicx.cn

    [root@bs002 ~]# grep ^domain /etc/yp.conf

    domain ZX.NICX.CN server bs001.zx.nicx.cn

    执行/etc/init.d/ypbind restart

    然后执行ycat passwd

    [root@bs002 ~]# /etc/init.d/ypbind start

    Starting NIS service:                                      [  OK  ]

    Binding NIS service:                                  [  OK  ]

    [root@bs002 ~]# ypcat passwd

    zzh:$1$g8GlVSWY$rOFvRr0eHpQuQbdqXUCwH0:501:502::/home/zzh:/bin/bash

    baoshan:$1$x2LXJfgm$pyfEXYFxY9FkUfrfbNG6f0:500:500:baoshan:/home/baoshan:/bin/bash

    bs001上执行如下操作:

    创建允许访问NIS服务器的主机列表,不出现在里面的不能访问NIS服务器。

    cat /var/yp/securenets

    先写掩码,再写IP或者网段,写法如下

    255.255.255.255 192.168.217.111  只允许111机器访问NIS服务器

    255.255.255.255 192.168.217.112  只允许112机器访问NIS服务器

    255.255.255.255 192.168.217.113  只允许113机器访问NIS服务器

    255.255.255.0 192.168.217.0  允许192.168.217.0网段的机器访问NIS服务器

    重启生效 service ypserv restart

    若/var/yp/securenets 不存在,则允许所有主机访问NIS服务器。

    注:以上所有在bs002上执行的操作,均可以在bs001、bs002、bs003

    配置Kerberos-KDC服务

    集群机器时间需要保持一致

    bs002上执行如下操作:

    yum -y install krb5-server krb5-workstation

    Kerberos配置文件1

    cat /etc/krb5.conf

    [libdefaults]

        default_realm = ZX.NICX.CN  #默认的领域

        dns_lookup_realm = false

        dns_lookup_kdc = false

        ticket_lifetime = 24h

        forwardable = yes

    [realms]

        ZX.NICX.CN = {

              kdc = bs002.zx.nicx.cn:88 #Kerberos服务器

              admin_server = bs002.zx.nicx.cn:749  #管理主机

        }

    [logging]

        default = FILE:/var/log/krb5libs.log

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmind.log

    [domain_realm]  #kerberos members

     bs002.zx.nicx.cn = ZX.NICX.CN

     bs003.zx.nicx.cn = ZX.NICX.CN

     .zx.nicx.cn = ZX.NICX.CN

    [appdefaults]

     pam = {

        debug = false

        ticket_lifetime = 36000

        renew_lifetime = 36000

        forwardable = true

        krb4_convert = false

        validate = true  #add

     }

    将/etc/krb5.conf传输到所有的客户端服务器。

    scp /etc/krb5.conf bs001.zx.nicx.cn:/etc

    scp /etc/krb5.conf bs003.zx.nicx.cn:/etc

    Kerberos配置文件2

    cat /var/kerberos/krb5kdc/kdc.conf

    [kdcdefaults]

     kdc_ports = 88

     kdc_tcp_ports = 88

    [realms]

     EXAMPLE.COM = {

      master_key_type = aes256-cts

      default_principal_flags = +preauth  #add

      acl_file = /var/kerberos/krb5kdc/kadm5.acl

      dict_file = /usr/share/dict/words

      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

      max_renewable_life = 10d  # 涉及到是否能进行ticket的renwe必须配置。

      supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

     }

    Kerberos配置文件3

    cat /var/kerberos/krb5kdc/kadm5.acl

    */admin@ZX.NICX.CN    *   #管理员

    生成Kerberos数据库

    kdb5_util create -r ZX.NICX.CN -s

    Loading random data

    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ZX.NICX.CN',

    master key name 'K/M@ZX.NICX.CN'

    You will be prompted for the database Master Password.

    It is important that you NOT FORGET this password.

    Enter KDC database master key:

    Re-enter KDC database master key to verify:

    启动Kerberos服务

    [root@bs002 krb5kdc]# service krb5kdc start

    Starting Kerberos 5 KDC:                                   [  OK  ]

    [root@bs002 krb5kdc]# service kadmin start

    Starting Kerberos 5 Admin Server:                          [  OK  ]

    端口分别为88和749

    上述两个服务设置为开机启动。

    chkconfig krb5kdc on

    chkconfig kadmin on

    之后执行kadmin.local命令进入Kerberos数据库

    [root@bs002 ~]# kadmin.local

    Authenticating as principal baoshan/admin@ZX.NICX.CN with password.

    kadmin.local:  listprincs

    K/M@ZX.NICX.CN

    kadmin/admin@ZX.NICX.CN

    kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/changepw@ZX.NICX.CN

    krbtgt/ZX.NICX.CN@ZX.NICX.CN

    kadmin.local: 

    增加一个principle:

    kadmin.local:  addprinc root/admin@ZX.NICX.CN

    WARNING: no policy specified for root/admin@ZX.NICX.CN; defaulting to no policy

    Enter password for principal "root/admin@ZX.NICX.CN":

    Re-enter password for principal "root/admin@ZX.NICX.CN":

    Principal "root/admin@ZX.NICX.CN" created.

    之后listprincs

    K/M@ZX.NICX.CN

    kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/changepw@ZX.NICX.CN

    krbtgt/ZX.NICX.CN@ZX.NICX.CN

    root/admin@ZX.NICX.CN

    注:删除账号命令delprinc root/admin@ZX.NICX.CN

    bs003上执行如下操作:

    kadmin -p root/admin

    [root@bs002 ~]# kadmin -p root/admin

    Authenticating as principal root/admin with password.

    Password for root/admin@ZX.NICX.CN:

    kadmin:  listprincs

    K/M@ZX.NICX.CN

    kadmin/admin@ZX.NICX.CN

    kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/changepw@ZX.NICX.CN

    krbtgt/ZX.NICX.CN@ZX.NICX.CN

    root/admin@ZX.NICX.CN

    配置Kerberos-AppServer服务

    凡是通过Kerberos验证的都叫AppServer

    ftp server ftp/hostname@BS001.ZX.NICX.CN

    sshd host/hostname@BS001.ZX.NICX.CN

    telnet host/hostname@BS001.ZX.NICX.CN

    nfs nfs/hostname@BS001.ZX.NICX.CN

    bs002上执行如下操作:

    服务principle没有密码,用randkey,将密码写入到/etc/krb5.keytab文件中

    kadmin.local:  addprinc -randkey host/bs002.zx.nicx.cn@ZX.NICX.CN

    WARNING: no policy specified for host/bs002.zx.nicx.cn@ZX.NICX.CN; defaulting to no policy

    Principal "host/bs002.zx.nicx.cn@ZX.NICX.CN" created.

    kadmin.local:  listprincs

    K/M@ZX.NICX.CN

    host/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/admin@ZX.NICX.CN

    kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/changepw@ZX.NICX.CN

    krbtgt/ZX.NICX.CN@ZX.NICX.CN

    root/admin@ZX.NICX.CN

    kadmin.local:  ktadd -k /etc/krb5.keytab host/bs002.zx.nicx.cn@ZX.NICX.CN

    Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs002.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

    kadmin.local:  addprinc zzh@ZX.NICX.CN

    WARNING: no policy specified for zzh@ZX.NICX.CN; defaulting to no policy

    Enter password for principal "zzh@ZX.NICX.CN":

    Re-enter password for principal "zzh@ZX.NICX.CN":

    Principal "zzh@ZX.NICX.CN" created.

    kadmin.local:  quit

    [root@bs002 ~]# restorecon /etc/krb5.keytab

    [root@bs002 ~]# ls -Zl /etc/krb5.keytab

    -rw-------. 1 unconfined_u:object_r:krb5_keytab_t:s0 root root 436 Sep 23 07:05 /etc/krb5.keytab

    bs003上执行如下操作:

    [root@bs003 ~]# kadmin -p root/admin

    Authenticating as principal root/admin with password.

    Password for root/admin@ZX.NICX.CN:

    kadmin:  listprincs

    K/M@ZX.NICX.CN

    host/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/admin@ZX.NICX.CN

    kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/changepw@ZX.NICX.CN

    krbtgt/ZX.NICX.CN@ZX.NICX.CN

    root/admin@ZX.NICX.CN

    zzh@ZX.NICX.CN

    kadmin:  addprinc -randkey host/bs003.zx.nicx.cn@ZX.NICX.CN

    WARNING: no policy specified for host/bs003.zx.nicx.cn@ZX.NICX.CN; defaulting to no policy

    Principal "host/bs003.zx.nicx.cn@ZX.NICX.CN" created.

    kadmin:  listprincs

    K/M@ZX.NICX.CN

    host/bs002.zx.nicx.cn@ZX.NICX.CN

    host/bs003.zx.nicx.cn@ZX.NICX.CN

    kadmin/admin@ZX.NICX.CN

    kadmin/bs002.zx.nicx.cn@ZX.NICX.CN

    kadmin/changepw@ZX.NICX.CN

    krbtgt/ZX.NICX.CN@ZX.NICX.CN

    root/admin@ZX.NICX.CN

    zzh@ZX.NICX.CN

    kadmin:  ktadd -k /etc/krb5.keytab host/bs003.zx.nicx.cn@ZX.NICX.CN

    Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.

    Entry for principal host/bs003.zx.nicx.cn@ZX.NICX.CN with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

    kadmin:  quit

    启动bs001和bs002上的sshd服务

    bs003上执行如下操作:

    [root@bs003 ~]# kinit zzh

    Password for zzh@ZX.NICX.CN:

    [root@bs003 ~]# klist

    Ticket cache: FILE:/tmp/krb5cc_0

    Default principal: zzh@ZX.NICX.CN

    Valid starting     Expires            Service principal

    09/23/15 07:12:54  09/24/15 07:12:52  krbtgt/ZX.NICX.CN@ZX.NICX.CN

    使用zzh账户登录bs002.zx.nicx.cn机器,不用输入密码

    [root@bs003 ~]# ssh zzh@bs002.zx.nicx.cn

    Could not chdir to home directory /home/zzh: No such file or directory

    -bash-4.1$ hostname

    bs002.zx.nicx.cn

    将key毁掉,然后用zzh重新连接bs002.zx.nicx.cn

    [root@bs003 ~]# kdestroy

    [root@bs003 ~]# klist

    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

    [root@bs003 ~]# ssh zzh@bs002.zx.nicx.cn

    zzh@bs002.zx.nicx.cn's password: 此处需要输入密码

    配置一下ssh服务器,实现互相登录不用输入密码。

    bs003.zx.nicx.cn

    man ssh_config

    vim /etc/ssh/ssh_config

    增加 GSSAPIDelegateCredentials yes

    注:上述中在bs003上的操作,可以完全部署在bs001机器上。

    部署完kerberos之后,需要在每台机器上进行网卡设置(机器数量规模小,各种角色混用,就可能不需要特定的设置nis+kerberos验证模式)

    设置成nis+kerberos的验证模式

    并且重启网卡 service network restart

    至此可以用ssh进行验证是否是nis+kerberos的验证模式了

    如果需要用主机名进行登录,例如baoshan@bs001 baoshan@bs002 baoshan@bs003,则需要更改一个配置

    /etc/ssh/sshd_config 中的 GSSAPIAuthentication yes(操作系统的默认配置,不是手贱不会改这个地方)

    当然以上是默认配置,奶奶的,之前经一同事介绍说,改了这个地方为GSSAPIAuthentication no后会使得登录变慢

    结果为了这个配置,我足足郁闷了大半个周(现象是:ssh通过用户名@主机名的形式密码能登录,就是不能无密码登录)

    原来原因在这里。。。

    服务器端启用了GSSAPI。登陆的时候客户端需要对服务器端的IP地址进行反解析,如果服务器的IP地址没有配置PTR记录,那么就容易在这里卡住了。  

    附录:

    Krb5.conf配置

    KDC服务端和客户端需要配置一致。

    cat /etc/krb5.conf

    [libdefaults]

        default_realm = ZX.NICX.CN

        dns_lookup_realm = false

        dns_lookup_kdc = false

        ticket_lifetime = 24h

        forwardable = yes

    [realms]

        ZX.NICX.CN = {

              kdc = bs002.zx.nicx.cn:88

              admin_server = bs002.zx.nicx.cn:749

        }

    [logging]

        default = FILE:/var/log/krb5libs.log

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmind.log

    [domain_realm]

     bs002.zx.nicx.cn = ZX.NICX.CN

     bs003.zx.nicx.cn = ZX.NICX.CN

     .zx.nicx.cn = BS001.ZX.NICX.CN

    [appdefaults]

     pam = {

        debug = false

        ticket_lifetime = 36000

        renew_lifetime = 36000

        forwardable = true

        krb4_convert = false

        validate = true

     }

    kdc.conf配置

    KDC服务端配置

    cat /var/kerberos/krb5kdc/kdc.conf

    [kdcdefaults]

     kdc_ports = 88

     kdc_tcp_ports = 88

    [realms]

     EXAMPLE.COM = {

      master_key_type = aes256-cts

      default_principal_flags = +preauth

      acl_file = /var/kerberos/krb5kdc/kadm5.acl

      dict_file = /usr/share/dict/words

      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

      supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

     }

    Kadm5.acl

    KDC服务端配置

    cat /var/kerberos/krb5kdc/kadm5.acl

    */admin@ZX.NICX.CN    *

    =======================================================================

    踩过的坑如下:

    1. nis域一定要用大写(建议,没有得出实地验证结论,但为了保险,还是要大写)

    2. nis增加新的用户名之后,一定要重启ypserv服务,即:service ypserv restart

    3. ssh的配置。如果需要用用户名@主机名的登录形式,则需要修改/etc/ssh/sshd_config 中的 GSSAPIAuthentication yes(默认配置,一般人不会遇到,但是我就遇到了。。。)

     4. addprincipal 主机名必须是全名,不能是简称

        addprinc -randkey host/bd018.sd.nicx.cn@SD.NICX.CN
        ktadd -k /etc/krb5.keytab host/bd018.sd.nicx.cn@SD.NICX.CN

    希望对需要的网友有所帮助。。。

    吐血总结。。。

  • 相关阅读:
    0019. Remove Nth Node From End of List (M)
    0018. 4Sum (M)
    0278. First Bad Version (E)
    0273. Integer to English Words (H)
    0017. Letter Combinations of a Phone Number (M)
    0016. 3Sum Closest (M)
    0015. 3Sum (M)
    软件测试常见面试题
    如何快速掌握DDT数据驱动测试?
    selenium--三种等待方式
  • 原文地址:https://www.cnblogs.com/zhzhang/p/4834213.html
Copyright © 2020-2023  润新知