KerberosLDAPNFSv4 HOWTO.docx
- 文档编号:28172679
- 上传时间:2023-07-09
- 格式:DOCX
- 页数:29
- 大小:106.82KB
KerberosLDAPNFSv4 HOWTO.docx
《KerberosLDAPNFSv4 HOWTO.docx》由会员分享,可在线阅读,更多相关《KerberosLDAPNFSv4 HOWTO.docx(29页珍藏版)》请在冰豆网上搜索。
KerberosLDAPNFSv4HOWTO
Kerberos/LDAP/NFSv4HOWTO
TheseinstructionsarespecifictoRedhatEnterpriseLinux(RHEL),Version4.AcombinationofRHELAS(forservers)andRHELWS(forworkstations)wereused.Interoperabilitywithotherclientsispossible,butisnotaddressedhere(butrefertothereferencesbelowforlinksthatmaybehelpfull).
Thegoalofthisdocumentistodescribehowtosetupanetworksothatthefollowingareattained.
∙UserauthenticationisdoneusingacentralKerberosserver.
∙Userinformation(UID/GID/homedirectories)arestoredinanLDAPdirectory.
∙StoreNFSautomountinformationinLDAP.
∙NFSv4authenticationusingKerberosispossiblewithsupportforlegacyNFSv3mounts.
Thisdocumentwillnotexplainwhykerberos,ldaporNFSv4aregoodthings.Ifyouaren’tconvinced,thenreaduponthesubject.Ifyouareconvinced,thenreadon.
Prerequisites
TimeSynchronization
Allmachinesthatwillparticipateinkerberosauthenticationmusthaveareliable,synchronizedtimesource.Mostlargeorgainizationoffertheirowntimesources.YoucanusetheRHELconfigurationtoolsystem-config-timetosetthisup.
Ifthedifferentintimebetweensystemsvariesbymorethanasmallamount(usuallyfiveminutes),systemswillnotbeabletoauthenticate.
HostNames
AllhostsmusthavetheirhostnamesettothefullyqualifiedhostnameasreportedbyDNS.Bothforwardandreversemappingmustworkproperly.
[root@phoenix~]#hostname
phoenix.physik.unizh.ch
[root@phoenix~]#digphoenix.physik.unizh.ch+short
130.60.164.29
[root@phoenix~]#dig-x130.60.164.29+short
phoenix.physik.unizh.ch.
ThehostmaybereferencedbyaCNAME,buttheofficialhostname(asreportedbyhostname)mustbean‘A’record.Thisisimportant;ifyoudon’thavethissetupproperlythensomethingswillwork,whileotherthingswillfailmysteriously.
IfthehostnamedoesnotmatchthereverseDNSlookup,Kerberosauthenticationwillfail.
Packages
Beforestarting,verifythatthenecessaryRPMpackagesareinstalled.Thepackagesrequiredaredifferentforaclientoraserver.
SPECIALNOTE:
RedHatEnterpriseLinux4installedona64-bitprocessorcansometimesinstallthe32bitversionofpackages.Whenverifyingthatthepackagesarecorrectlyinstalled,makesurethatthe64bitversionisthereifyouareona64bitarchitecture.IhadendlessgriefgettingldaptoworkuntilIrealizedthattheRedHatinstallerhadinstalledthe32bitversionofcyrus-sasl-gssapionour64bitmachine.Alloftheotherpackageswerecorrect,orbothwereinstalled.Toverifyapackage,usethefollowingcommand.
[root@coma~]#rpm-q--queryformat="%{n}-%{v}-%{r}.%{arch}\n"cyrus-sasl-gssapi
cyrus-sasl-gssapi-2.1.19-5.EL4.i386
[root@coma~]#up2date--arch=x86_64cyrus-sasl-gssapi
FetchingObsoleteslistforchannel:
rhel-x86_64-as-4...
Fetchingrpmheaders...
Installing...
1:
cyrus-sasl-gssapi###########################################[100%]
[root@coma~]#rpm-q--queryformat="%{n}-%{v}-%{r}.%{arch}\n"cyrus-sasl-gssapi
cyrus-sasl-gssapi-2.1.19-5.EL4.i386
cyrus-sasl-gssapi-2.1.19-5.EL4.x86_64
Ifyouareona32bitarchitecture,thenthisissomethingthatyoudon’tneedtoworryabout.
ClientPackages
∙krb5-libs
∙krb5-workstation
∙pam_krb5
∙cyrus-sasl-gssapi
∙openldap-clients
ServerPackages(KDCandLDAP)
Theserverwillneedalloftheclientpackageinadditiontothefollowing.
∙krb5-server
∙openldap-servers
What'sinaName?
Atthispoint,youshouldhaveallofyourmachinesregisteredinDNSunderone(ormore)domains.Inourcase,ourmachinesareinthephysik.unizh.chdomain.Wealsoauthenticateoursupercomputerswhichareinthezbox.physik.unizh.chdomain.
Youneedtochooseakerberosrealm.AkerberosrealmiscompletelydifferentfromaDNSdomain,butinmostcasesyouwillwanttousethesamename.Byconvention,kerberosrealmsarealluppercase.OurkerberosrealmisPHYSIK.UNIZH.CH.Thisrealmservesboththephysik.unizh.chandthezbox.physik.unizh.chDNSdomains.
Thereisalsoadistinctionbetweenaunixusernameandakerberosprincipal.Youwillbecreatingakerberosprincipalforeveryunixusernameforwhichyouwanttousekerberosauthentication.Inaddition,youwillbecreatingadditionalkerberosprincipalsforadditionalpurposes(moreonthislater).
Inthisdocument,whenIsaydomain,ImeananDNSdomain.WhenIsayrealm,Imeanakerberosrealm.WhenIsayusername,ImeanaunixuserandwhenIsayprincipal,Imeanakerberosprincipal.
Kerberos
KerberosServer(KDC)
Thefirststepistosetupakerberosserver(orKDC).
FileModifications
Thereareanumberoffilesthathavetobemanuallyeditedontheserver.
Edit/etc/krb5.conf
ThestockversionofthisfilewillhaveEXAMPLE.COMoreverwhereyouwanttoputyourownrealmordomainname.Thetwosectionsinquestionarelibdefaultsanddomain_realm.Theothersectionsdonotneedtobechanged.Inlibdefaults,enteryourownkerberosrealmname.Youmaywanttosettheclockskewtoalowervalue(providedyouaresynchronizingtimewithntp).
[libdefaults]
default_realm=PHYSIK.UNIZH.CH
dns_lookup_realm=false
dns_lookup_kdc=false
clockskew=120
Therealmssectioncontainsthesettingsforeachrealm.Wehaveonlyonerealmsoitwouldlooklikethefollowing.NotethatyouenterakdclineforeachKerberosDomainController.Youshouldhaveatleasttwo.
[realms]
PHYSIK.UNIZH.CH={
kdc=coma.physik.unizh.ch:
88
kdc=second.physik.unizh.ch:
88
admin_server=coma.physik.unizh.ch:
749
default_domain=physik.unizh.ch
}
Indomain_realm,enterthemappingbetweenDNSdomainsandyourkerberosrealm.IfyouareservingmultipleDNSdomains,youneedtoputthemallhere.
[domain_realm]
.zbox.physik.unizh.ch=PHYSIK.UNIZH.CH
zbox.physik.unizh.ch=PHYSIK.UNIZH.CH
.physik.unizh.ch=PHYSIK.UNIZH.CH
physik.unizh.ch=PHYSIK.UNIZH.CH
Finally,youmaywanttotweaktheapplicationdefaults,forexampletochangetherenewlifetime.
[appdefaults]
pam={
debug=false
ticket_lifetime=36000
renew_lifetime=36000
forwardable=true
krb4_convert=false
}
kinit={
ticket_lifetime=36000
renew_lifetime=36000
forwardable=true
}
Edit/var/kerberos/krb5kdc/kdc.conf
Inthisfile,onlytherealmssectionneedstobemodified.AccordingtothisFAQ,itisimportanttochangethekeytypesaswell.Icanconfirmthatthesettingbelowworkperfectlyinourenvironment.Youmaywanttodecideonappropriatevaluesforthemaximumlifeofeachticket,andforhowlongeachticketcanberenewed.Reasonablevaluesare1dayand1weekbutyourneedswillvary.ThevaluesherearetheabsolutemaximumthattheKDCwillissue.Eachprincipalhasitsownmaximumaswell.
[realms]
PHYSIK.UNIZH.CH={
master_key_type=des3-hmac-sha1
supported_enctypes=des3-hmac-sha1:
normaldes-cbc-crc:
normal
max_life=25h
max_renewable_life=4w
}
Edit/var/kerberos/krb5kdc/kadm5.acl
Thisfiledetermineswhocanmodifythekerberosdatabase.Youneedtochangetherealm.
*/admin@PHYSIK.UNIZH.CH*
Abriefnoteonkerberosusers(calledprinciples)isinorderatthispoint.Allstandarduserswillbeoftheformusername@REALM.Whenonetriestoruntheadministrationtool,ittakesthecurrentusername,appends‘/admin’andusesthatastheprinciple.Ifthereisnousername/admin@REALMprinciple,thenthatusercannotmodifythedatabase.
Change/etc/gssapi_mech.conf
Thereisaproblemwiththisfileon64-bitarchitectures.Itspecifiesthe“lib”librarypathinsteadofthe“lib64”path.Youcanjustremovethepathaltogetheranditwillworkoneither.Thisismoreimportantonakerberosclient,butaservercanbeaclientaswell,soyoumayaswellchangeitonallmachines.
#libraryinitializationfunction
#==========================================================
#TheMITK5gssapilibrary,usespecialfunctionforinitialization.
libgssapi_krb5.somechglue_internal_krb5_init
CreatetheKerberosdatabase
Createthedatabasewiththefollowingcommand.
[root@coma~]kdb5_utilcreate-s
Thiswillpromptyouforapassword.YouwillonlyhavetoenterthispasswordwhenyouinitiallyconfigureaslaveKDC,sochoosesomethinglargeandrandomandstoreitinasecureplace.Really,youmayonlyhavetoenterthisoncemore,somakeitsecure.
AddthefirstAdministrativeUser
Idoadministrationasroot,sothefirstuserIaddisroot/admin.Thedefaultrealmisappendedautomatically,sothecommandtouseisasfollows.
[root@coma~]kadmin.local-q"addprincroot/admin"
Enterapasswordwhenprompted.Youwillneedthispasswordeverytimeyouadministerthedatabase.
StartingtheServices
Atthispointitisnecessarytoenableandstartthekerberosservices.
[root@coma~]chkconfigkadminon
[root@coma~]servicekadminstart
[root@coma~]chkconfigkrb5kdcon
[root@coma~]servicekrb5kdcstart
Totestifeverythingisworking,runkadmin.Bydefault,thecurrentuserappendedwith‘/admin’isusedastheprinciple.
[root@coma~]kadmin
Authenticatingasprincipalroot/admin@PHYSIK.UNIZH.CHwithpassword.
Passwordforroot/admin@PHYSIK.UNIZH.CH:
kadmin:
listprincs
K/M@PHYSIK.UNIZH.CH
kadmin/admin@PHYSIK.UNIZH.CH
kadmin/changepw@PHYSIK.UNIZH.CH
kadmin/history@PHYSIK.UNIZH.CH
krbtgt/PHYSIK.UNIZH.CH@PHYSIK.UNIZH.CH
root/admin@PHYSIK.UNIZH.CH
Theadditionalprincipleshavebeencreatedbythetool.Theyarerequiredsoleavethembe.
CreateaHostPrincipalfortheKDC
NowyouwillwanttocreateahostprincipalfortheKDC.Thisisrequiredforreplication(seebelow).Youalsoneedtoaddthisprincipaltothelocalkeytable.
[root@coma~]#kadmin
Authentic
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- KerberosLDAPNFSv4 HOWTO