wget http://www.linux-pam.org/library/Linux-PAM-1.2.0.tar.gz tar -zxvf Linux-PAM-1.2.0.tar.gz cd Linux-PAM-1.2.0 ./configure --prefix=/usr --libdir=/lib64 --disable-static --enable-shared && make && make install
$ kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc root/admin Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "root/admin@EXAMPLE.COM": root Re-enter password for principal "root/admin@EXAMPLE.COM": root Principal "root/admin@EXAMPLE.COM" created.
创建一个普通的 principal:
1 2 3 4
kadmin.local: addprinc yibo Enter password for principal "yibo@EXAMPLE.COM": yourpassword Re-enter password for principal "yibo@EXAMPLE.COM": yourpassword Principal "yibo@EXAMPLE.COM" created.
说明:kadmin和kadmin.local都是 KDB 的管理接口,区别在于kadmin.local只能在 Server 上使用,无需密码;kadmin在 Server 和 Client 上都能使用,需要密码——当然,需要在 Server 上启动 Kadmin 服务。
将 KDC 的域名加入到 Kerberos 的数据库
1 2 3 4
kadmin.local: addprinc -randkey host/grape.jie.hn Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for host/grape.jie.hn@EXAMPLE.COM; defaulting to no policy Principal "host/grape.jie.hn@EXAMPLE.COM" created.
kadmin.local: ktadd host/grape.jie.hn Authenticating as principal root/admin@EXAMPLE.COM with password. Entry for principal host/grape.jie.hn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/grape.jie.hn with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab. kadmin.local: quit # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 host/grape.jie.hn@EXAMPLE.COM 8 host/grape.jie.hn@EXAMPLE.COM 8 host/grape.jie.hn@EXAMPLE.COM 8 host/grape.jie.hn@EXAMPLE.COM 8 host/grape.jie.hn@EXAMPLE.COM 8 host/grape.jie.hn@EXAMPLE.COM
选择“[*] Use Kerberos”并选择Next,确定 Realm、KDC 和 Admin Server 是否正确,并选择“[*] Use DNS to resolve hosts to realms”、“[*] Use DNS to locate KDCs for realms”,选择 OK 保存。
$ kdestroy $ kadmin Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: root kadmin: addprinc -randkey host/peach.jie.hn NOTICE: no policy specified for host/peach.jie.hn@EXAMPLE.COM; assigning "default" Principal "host/peach.jie.hn@EXAMPLE.COM" created. kadmin: ktadd host/peach.jie.hn Entry for principal host/peach.jie.hn with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/peach.jie.hn with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/peach.jie.hn with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/peach.jie.hn with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. Entry for principal host/peach.jie.hn with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/peach.jie.hn with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.