.
- 一 .前言
- 二 .安装apacheDS
- 2.1. 执行安装脚本
- 2.2. 启动ApacheDS
- 2.3. 安装Apache Directory Studio
- 2.4. 配置连接
- 2.5. 设置分区
- 2.6. 添加组
- 三 .修改配置
- 3.1. linux用户schema
- 3.2. 添加测试组
- 3.3. 添加用户
- 3.4. 修改用户密码
- 四 .LDAP用户同步
- 4.1. 安装LDAP client
- 4.2. 配置LDAP client
- 4.3. 重启服务nslcd
- 4.4. 验证
- 五 .Kerberos同步
- 5.1. 修改apacheds 配置,开启kerberos kdc
- 5.2. 安装kerberos client
- 5.3. 修改kerberos配置文件
- 5.4. 添加kerberos认证用户
- 5.5. kerberos 验证
- 5.6. kerberos 导出keytab文件
- 5.7. 验证keytab文件
- 六 .linux与kerberos用户统一
- 七 .特别鸣谢 [帅神]
一 .前言
- 安装包
组件 | 下载地址 |
JDK 11 | https://mirrors.tuna.tsinghua.edu.cn/AdoptOpenJDK/11/jdk/x64/mac/ |
Apache Directory Studio | |
ApacheDS |
百度云盘:
链接: https://pan.baidu.com/s/1GkFwUOhuMBdqZY8jx1p8Kg 密码: 4s3h
- 名词含义
名词 | 全称 | 含义 |
CN | Common Name | 为用户名或服务器名,最长可以到80个字符,可以为中文; |
OU | Organization Unit | 为组织单元,最多可以有四级,每级最长32个字符,可以为中文; |
DC | Domain Component | 域组件 |
LDAP 目录类似于文件系统目录。
下列目录:
DC=redmond,DC=wa,DC=microsoft,DC=com
如果我们类比文件系统的话,可被看作如下文件路径:
Com\Microsoft\Wa\Redmond
例如:CN=test,OU=developer,DC=domainname,DC=com
在上面的代码中
cn=test 可能代表一个用户名,
ou=developer 代表一个 active directory 中的组织单位。
这句话的含义可能就是说明 :
test 这个对象处在domainname.com 域的 developer 组织单元中。二 .安装apacheDS
2.1. 执行安装脚本
使用默认配置, 不断敲击回车即可…
我的安装位置为: /opt/apacheds-2.0.0.AM2
[root@localhost opt]# sh apacheds-2.0.0.AM26-64bit.bin
WELCOME TO THE APACHEDS INSTALLER PROGRAM
_ _ ____ ____
/ \ _ __ __ _ ___| |__ ___| _ \/ ___|
/ _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \
/ ___ \| |_) | (_| | (__| | | | __/ |_| |___) |
/_/ \_\ .__/ \__,_|\___|_| |_|\___|____/|____/
|_|
ApacheDS is distributed under the Apache Software License Version 2.0.
Please, take some time to read the license terms below.
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
Do you agree to the above license terms? [yes or no]
yes
Unpacking the installer...
Extracting the installer...
Where do you want to install ApacheDS? [Default: /opt/apacheds-2.0.0.AM26]
/opt/apacheds-2.0.0.AM2
Where do you want to install ApacheDS instances? [Default: /var/lib/apacheds-2.0.0.AM26]
What name do you want for the default instance? [Default: default]
Where do you want to install the startup script? [Default: /etc/init.d]
Which user do you want to run the server with (if not already existing, the specified user will be created)? [Default: apacheds]
Which group do you want to run the server with (if not already existing, the specified group will be created)? [Default: apacheds]
Installing...
id: apacheds: no such user
Done.
ApacheDS has been installed successfully.2.2. 启动ApacheDS
[root@localhost apacheds-2.0.0.AM2]# pwd
/opt/apacheds-2.0.0.AM2
[root@localhost apacheds-2.0.0.AM2]# sh bin/apacheds start default
Starting ApacheDS - default...
[root@localhost apacheds-2.0.0.AM2]# jps
26149 ApacheDsTanukiWrapper
26186 Jps2.3. 安装Apache Directory Studio
Apache Directory Studio 安装有点坑, 要求JDK必须为11 . 我的电脑是mac环境刚开始的时候还报错…
我来说一下解决方式:
- 先安装JDK11, 我是直接下载的 :
https://mirrors.tuna.tsinghua.edu.cn/AdoptOpenJDK/11/jdk/x64/mac/ 解压到指定的位置 :
/opt/tools/jdk-11.0.10.jdk
- 用记事本编辑Info.plist文件
增加属性,配置一下jdk的路径:
<array>
<string>-vm</string><string>/opt/tools/jdk-11.0.10.jdk/Contents/Home/bin/java</string>
<string>-keyring</string>
<string>~/.eclipse_keyring</string>
</array>- 启动Apache Directory Studio
2.4. 配置连接
- 创建连接
设置连接信息 [注意端口为 :10389 ] - 点击next
默认:user:uid=admin,ou=system password:secret
- 点击Finish保存即可
2.5. 设置分区
- 打开配置添加自定义分区
- 点击add
- Ctrl+S保存, 重启ApacheDS
[root@localhost apacheds-2.0.0.AM2]# pwd
/opt/apacheds-2.0.0.AM2
[root@localhost apacheds-2.0.0.AM2]# sh bin/apacheds restart default
Stopping ApacheDS - default...
Stopped ApacheDS - default.
Starting ApacheDS - default...2.6. 添加组
三 .修改配置
3.1. linux用户schema
- 刷新 ou=schema
- 将m-disabled配置修改为false,修改之后就可以有posixAccount、posixGroup相关属性。
3.2. 添加测试组
- 断开连接,重新刷新
- 添加组
3.3. 添加用户
- 创建test.ldif文件
dn: uid=test,ou=Group,dc=yss,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 18663
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 0
homeDirectory: /home/test- 选择刚创建的文件生成用户
3.4. 修改用户密码
- 双击修改用户密码
四 .LDAP用户同步
4.1. 安装LDAP client
- 前置环境处理
- 关闭SELinux
[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled
[root@localhost ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
[root@localhost ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled- 关闭iptables
查看防火墙状态
firewall-cmd --state
停止firewall
systemctl stop firewalld.service
禁止firewall开机启动
systemctl disable firewalld.service- 在需要同步的物理机上执行安装指令
yum install nss-pam-ldapd openldap-clients openldap -y
[root@localhost ~]# yum install nss-pam-ldapd openldap-clients openldap -y
已加载插件:fastestmirror
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Determining fastest mirrors
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64&infra=stock&content=altarch error was
12: Timeout on https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64&infra=stock&content=altarch: (28, 'Operation timed out after 30001 milliseconds with 0 out of 0 bytes received')
* base: mirrors.huaweicloud.com
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.huaweicloud.com
* updates: mirrors.huaweicloud.com
HDP-3.1-GPL-repo-1 | 2.9 kB 00:00
HDP-3.1-repo-1 | 2.9 kB 00:00
HDP-3.1.5.0 | 2.9 kB 00:00
HDP-GPL-3.1.5.0 | 2.9 kB 00:00
HDP-UTILS-1.1.0.22 | 2.9 kB 00:00
HDP-UTILS-1.1.0.22-repo-1 | 2.9 kB 00:00
ambari-2.7.5.0 | 2.9 kB 00:00
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
nginx | 2.9 kB 00:00
updates | 2.9 kB 00:00
(1/2): updates/7/x86_64/primary_db | 5.7 MB 00:03
(2/2): nginx/x86_64/primary_db | 60 kB 00:04
软件包 openldap-2.4.44-22.el7.x86_64 已安装并且是最新版本
正在解决依赖关系
--> 正在检查事务
---> 软件包 nss-pam-ldapd.x86_64.0.0.8.13-25.el7 将被 安装
--> 正在处理依赖关系 nscd,它被软件包 nss-pam-ldapd-0.8.13-25.el7.x86_64 需要
---> 软件包 openldap-clients.x86_64.0.2.4.44-22.el7 将被 安装
--> 正在检查事务
---> 软件包 nscd.x86_64.0.2.17-323.el7_9 将被 安装
--> 解决依赖关系完成
依赖关系解决
================================================================================
Package 架构 版本 源 大小
================================================================================
正在安装:
nss-pam-ldapd x86_64 0.8.13-25.el7 base 164 k
openldap-clients x86_64 2.4.44-22.el7 base 191 k
为依赖而安装:
nscd x86_64 2.17-323.el7_9 updates 288 k
事务概要
================================================================================
安装 2 软件包 (+1 依赖软件包)
总下载量:643 k
安装大小:1.1 M
Downloading packages:
(1/3): nss-pam-ldapd-0.8.13-25.el7.x86_64.rpm | 164 kB 00:00
(2/3): openldap-clients-2.4.44-22.el7.x86_64.rpm | 191 kB 00:00
(3/3): nscd-2.17-323.el7_9.x86_64.rpm | 288 kB 00:00
--------------------------------------------------------------------------------
总计 1.3 MB/s | 643 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : nscd-2.17-323.el7_9.x86_64 1/3
正在安装 : nss-pam-ldapd-0.8.13-25.el7.x86_64 2/3
正在安装 : openldap-clients-2.4.44-22.el7.x86_64 3/3
验证中 : openldap-clients-2.4.44-22.el7.x86_64 1/3
验证中 : nss-pam-ldapd-0.8.13-25.el7.x86_64 2/3
验证中 : nscd-2.17-323.el7_9.x86_64 3/3
已安装:
nss-pam-ldapd.x86_64 0:0.8.13-25.el7 openldap-clients.x86_64 0:2.4.44-22.el7
作为依赖被安装:
nscd.x86_64 0:2.17-323.el7_9
完毕!4.2. 配置LDAP client
- 添加client服务器到LDAP服务,注意IP
[root@localhost ~]# authconfig --enablemkhomedir --disableldaptls --enableldap --enableldapauth --ldapserver="192.168.101.30:10389" --ldapbasedn="dc=yss,dc=com" --update
getsebool: SELinux is disabled
[root@localhost ~]#- 这个指令修改了/etc/nsswitch.conf 以及/etc/openldap/ldap.conf文件
- /etc/nsswitch.conf
[root@localhost ~]# cat /etc/nsswitch.conf |egrep -v "^#|^$"
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
[root@localhost ~]#- /etc/pam.d/system-auth
[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so- /etc/sysconfig/authconfig
[root@localhost ~]# more /etc/sysconfig/authconfig
USELDAP=yes
USELDAPAUTH=yes
USELOCAUTHORIZE=yes
USESHADOW=yes
....- /etc/ssh/sshd_config
[root@localhost ~]# cat /etc/ssh/sshd_config | grep UsePAM
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
UsePAM yes
[root@localhost ~]#4.3. 重启服务nslcd
[root@localhost ~]# systemctl restart nslcd
[root@localhost ~]# systemctl restart sshd4.4. 验证
创建 test02.ldif文件
dn: uid=test02,ou=Group,dc=yss,dc=com
uid: test02
cn: test02
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}!!
shadowLastChange: 18663
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 6666
gidNumber: 666
homeDirectory: /home/test02需要注意的事情 :
- uid 和 cn 一般都是相同的
- uidNumber 是用户的id , 这个一定要改, 要是不存在的用户组id
- loginShell 默认 /bin/bash 就行
- gidNumber 这个是用户组的id
- homeDirectory : 用户的home目录
使用su指令进行切换就行…
[root@localhost home]# su -l test02
创建目录 '/home/test02'。
上一次登录:三 3月 17 15:29:57 CST 2021pts/3 上
[test02@localhost ~]$ pwd
/home/test02
[test02@localhost ~]$ id
uid=6666(test02) gid=0(root) 组=0(root)五 .Kerberos同步
5.1. 修改apacheds 配置,开启kerberos kdc
- 选取对应的服务器 , 鼠标右键单击 Open Configuration .
- 打开配置页面,勾选上Enable Kerberos Server,Enable Kerberos Change Password Server,改完之后control+s 保存,
重启apacheds 生效。
[root@localhost apacheds-2.0.0.AM2]# sh bin/apacheds restart default
Stopping ApacheDS - default...
Stopped ApacheDS - default.
Starting ApacheDS - default...
[root@localhost apacheds-2.0.0.AM2]#5.2. 安装kerberos client
- 安装kerberos 客户端
yum install krb5-workstation krb5-libs krb5-auth-dialog -y
yum install krb5-workstation krb5-libs krb5-auth-dialog -y5.3. 修改kerberos配置文件
- 修改/etc/krb5.conf文件, 配置kdc地址
vi /etc/krb5.conf
5.4. 添加kerberos认证用户
导入kdc-data.ldif 到ldap ,文件内容如下
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
objectClass: top
dc: example
o: example.com
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0
dn: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0
dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0- 通过Apache Directory Studio
右键连接->import ->ldif import 选择指定文件。
- 导入成功
5.5. kerberos 验证
#输入密码 文件中指定的是secret
[root@localhost apacheds-2.0.0.AM2]# kinit hnelson
Password for hnelson@EXAMPLE.COM:
#查看ticket
[root@localhost apacheds-2.0.0.AM2]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@EXAMPLE.COM
Valid starting Expires Service principal
2021-03-17T16:19:26 2021-03-18T16:19:12 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2021-03-24T16:19:125.6. kerberos 导出keytab文件
使用ktutil 导出keytab 文件
[root@localhost apacheds-2.0.0.AM2]# ktutil
ktutil: add_entry -password -p hnelson@EXAMPLE.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for hnelson@EXAMPLE.COM:
ktutil: wkt /opt/hnelson.keytab
ktutil: q
[root@localhost apacheds-2.0.0.AM2]#add_entry 为每一种加密方式添加keytab ,然后用wkt 将keytab写入到文件。
5.7. 验证keytab文件
[root@localhost apacheds-2.0.0.AM2]# kinit -kt /opt/hnelson.keytab hnelson
[root@localhost apacheds-2.0.0.AM2]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: hnelson@EXAMPLE.COM
Valid starting Expires Service principal
2021-03-17T16:31:43 2021-03-18T16:31:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2021-03-24T16:31:38六 .linux与kerberos用户统一
- sman用户的ldif配置
- 注意要和kerberos的认证在同一个域下面.
dn: uid=sman,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: sman
gidNumber: 666
homeDirectory: /home/sman
krb5KeyVersionNumber: 1
krb5PrincipalName: sman@EXAMPLE.COM
sn: sman
uid: sman
uidNumber: 6668
krb5Key:: MBGgAwIBA6EKBAgs3IwczpIjCA==
krb5Key:: MBmgAwIBEaESBBDZ4KQ8CUaBfkx/xz+Mo6nf
krb5Key:: MBmgAwIBF6ESBBA+wfd6dpePW9BH3npNz4gx
krb5Key:: MCGgAwIBEKEaBBhMSqjaSWQWy4yiAaQq6lgVdvhu1jjaFtM=
loginShell: /bin/bash
shadowLastChange: 18663
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
userPassword:: e1NTSEF9eG5LRUJMNVljNTA4amtkQ3NBLzA2NW1QU3ltOEFVMS9KUjVOclE9PQ==- 直接导入即可.
3. 查看sman
- 修改密码
- 验证
[root@localhost conf]# su -l sman
创建目录 '/home/sman'。
[sman@localhost ~]$
[root@localhost ~]# kinit sman
Password for sman@EXAMPLE.COM:
[root@localhost ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_CwJLBLC
Default principal: sman@EXAMPLE.COM
Valid starting Expires Service principal
2021-03-17T17:28:23 2021-03-18T17:28:16 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 2021-03-24T17:28:16
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
