next up previous contents
Next: NFS Server 架設 Up: Network File System, NFS Previous: NFS 簡介   Contents

*Kerberos KDC

  1. 本節非課程範圍,但練習系統必須存在 kerberos keytab 才能練習,Server 端必須先產生 NFS kerberos 認證的 keytab,本節為產生過程演練,學生也可自行依例產生,實際測驗時只需依照指定網址下載 keytab 存成 /etc/krb5.keytab 即可。
  2. Kerberos 是 MIT 在 1988 發展出來的認證協定。用戶端使用 principal (kind of login) 與 KDC server (Kerberos Distribution Center) 連線取得 ticket。如果 ticket 有效,用戶端就可不需要再認證下存取一些服務。
  3. kdc 用戶端 (此例為 kvm7.deyu.wang) 與 KDC server (此例為 kvm7.deyu.wang) 必須在相同的 realm (通常為大寫的網域名,此例為 DEYU.WANG)。
  4. 開始設定前必須先以 NTP 校時,並確定主機名稱解析沒問題,如果沒有 DNS,可以在 /etc/hosts 設定主機名稱的對應。 但此設定會造成 HTTPS 用戶端認證失效,且實際練習時 DNS 一定且必須正常運作,所以不需要設定此對應。
    [root@kvm5 ~]# vim /etc/hosts
    [root@kvm5 ~]# tail -2 /etc/hosts
    192.168.122.5 kvm5.deyu.wang
    192.168.122.7 kvm7.deyu.wang
    
  5. 安裝需要的套件。
    [root@kvm5 ~]# yum install -y krb5-server krb5-workstation pam_krb5
    
  6. 編輯 /var/kerberos/krb5kdc/kdc.conf,取代 EXAMPLE.COM 為 DEYU.WANG。取消註解 master_key_type = aes256-cts,並在章節 [realms] 貼上 default_principal_flags = +preauth
    [root@kvm5 ~]# vim /var/kerberos/krb5kdc/kdc.conf
    [root@kvm5 ~]# sed -i 's/EXAMPLE.COM/DEYU.WANG/g' /var/kerberos/krb5kdc/kdc.conf 
    [root@kvm5 ~]# sed -i 's/#//g' /var/kerberos/krb5kdc/kdc.conf
    [root@kvm5 ~]# sed -i 's/\(^\[realms\]$\)/\1\n default_principal_flags = \+preauth/g' \
    /var/kerberos/krb5kdc/kdc.conf
    [root@kvm5 ~]# grep 'DEYU' -A3 -B2 /var/kerberos/krb5kdc/kdc.conf
    [realms]
     default_principal_flags = +preauth	
     DEYU.WANG = {
      master_key_type = aes256-cts
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
    
  7. 在 /etc/krb5.conf file 取消所有註解,取代 EXAMPLE.COM 為 DEYU.WANG,example.com 為 deyu.wang,kerberos.example.com 為 KDC server (此例為 kvm5.deyu.wang)。
    [root@kvm5 ~]# vim /etc/krb5.conf 
    [root@kvm5 ~]# sed -i 's/EXAMPLE.COM/DEYU.WANG/g' /etc/krb5.conf
    [root@kvm5 ~]# sed -i 's/#//g' /etc/krb5.conf
    [root@kvm5 ~]# sed -i 's/example.com/deyu.wang/g' /etc/krb5.conf
    [root@kvm5 ~]# sed -i 's/kerberos\(.deyu.wang\)/kvm5\1/g' /etc/krb5.conf
    [root@kvm5 ~]# cat /etc/krb5.conf 
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     dns_lookup_realm = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
     default_realm = DEYU.WANG
     default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
     DEYU.WANG = {
      kdc = kvm5.deyu.wang
      admin_server = kvm5.deyu.wang
     }
    
    [domain_realm]
     .deyu.wang = DEYU.WANG
     deyu.wang = DEYU.WANG
    
  8. 編輯 /var/kerberos/krb5kdc/kadm5.acl,取代 EXAMPLE.COM 為自己的 realm DEYU.WANG。
    [root@kvm5 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
    [root@kvm5 ~]# sed -i 's/EXAMPLE.COM/DEYU.WANG/g' /var/kerberos/krb5kdc/kadm5.acl
    [root@kvm5 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
    */admin@DEYU.WANG	*
    
  9. 如果有舊的 kerberos database,先整個刪除。
    [root@kvm5 ~]# kdb5_util destroy -f
    ** Database '/var/kerberos/krb5kdc/principal' destroyed.
    
  10. 如果有舊的 principal keytab 一定要刪除,否則無法認證。
    [root@kvm5 ~]# kadmin.local -q 'delete_principal -force nfs/kvm5.deyu.wang@DEYU.WANG'
    [root@kvm5 ~]# kadmin.local -q 'delete_principal -force nfs/kvm7.deyu.wang@DEYU.WANG'
    [root@kvm5 ~]# kadmin.local -q 'ktremove -k /etc/krb5.keytab nfs/kvm5.deyu.wang@DEYU.WANG'
    [root@kvm5 ~]# kadmin.local -q 'ktremove -k /etc/kvm7.keytab nfs/kvm7.deyu.wang@DEYU.WANG'
    
  11. 產生 kerberos database,執行很久没反應,Ctrl+c 中斷。
    [root@kvm5 ~]# kdb5_util create -s -r DEYU.WANG
    Loading random data
    ^C
    
  12. 若產生過程一直卡在 Loading random data,表示 /dev/random 無法產生够長的隨機字串,檢查原因為 CentOS 7 必須使用 /dev/urandom,所以將 /dev/random 連結到 /dev/urandom。
    [root@kvm5 ~]# mv /dev/random /dev/xrandom
    [root@kvm5 ~]# ln -s /dev/urandom /dev/random
    [root@kvm5 ~]# ll /dev/urandom /dev/random
    lrwxrwxrwx. 1 root root   12 Aug  9 20:59 /dev/random -> /dev/urandom
    crw-rw-rw-. 1 root root 1, 9 Aug  9 07:37 /dev/urandom
    
  13. 成功產生 kerberos database。
    [root@kvm5 ~]# kdb5_util create -s -r DEYU.WANG
    Loading random data
    Initializing database '/var/kerberos/krb5kdc/principal' for realm 'DEYU.WANG',
    master key name 'K/M@DEYU.WANG'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key: 
    Re-enter KDC database master key to verify:
    
  14. 設定 kerberos 服務開機啟動。
    [root@kvm5 ~]# systemctl enable krb5kdc.service kadmin.service
    
  15. 啟動 kerberos 服務。
    [root@kvm5 ~]# systemctl start krb5kdc.service kadmin.service
    
  16. 執行 kerberos 管理工具。
    [root@kvm5 ~]# kadmin.local 
    Authenticating as principal root/admin@DEYU.WANG with password.
    kadmin.local:
    
  17. 產生 admin 管理者 principal,如果所有 principal keytab 都在 local 端產生,此步驟可省略。
    kadmin.local:  addprinc root/admin
    WARNING: no policy specified for root/admin@DEYU.WANG; defaulting to no policy
    Enter password for principal "root/admin@DEYU.WANG": 
    Re-enter password for principal "root/admin@DEYU.WANG": 
    Principal "root/admin@DEYU.WANG" created.
    
  18. 產生 NFS principal nfs/kvm5.deyu.wang。
    [root@kvm5 ~]# kadmin.local -q "addprinc -pw 123qwe nfs/kvm5.deyu.wang"
    Authenticating as principal nfs/admin@DEYU.WANG with password.
    WARNING: no policy specified for nfs/kvm5.deyu.wang@DEYU.WANG; defaulting to no policy
    Principal "nfs/kvm5.deyu.wang@DEYU.WANG" created.
    
  19. 產生 NFS principal nfs/kvm7.deyu.wang。
    [root@kvm5 ~]# kadmin.local -q "addprinc -pw 123qwe nfs/kvm7.deyu.wang"
    Authenticating as principal nfs/admin@DEYU.WANG with password.
    WARNING: no policy specified for nfs/kvm7.deyu.wang@DEYU.WANG; defaulting to no policy
    Principal "nfs/kvm7.deyu.wang@DEYU.WANG" created.
    
  20. 產生 nfs/kvm5.deyu.wang princiapl 副本到預設檔案 /etc/kvm5.keytab,解題時此檔提供下載。
    [root@kvm5 ~]# kadmin.local -q 'ktadd -k /etc/kvm5.keytab nfs/kvm5.deyu.wang@DEYU.WANG'
    Authenticating as principal nfs/admin@DEYU.WANG with password.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     des3-cbc-sha1 added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     arcfour-hmac added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     camellia256-cts-cmac added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     camellia128-cts-cmac added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     des-hmac-sha1 added to keytab WRFILE:/etc/kvm5.keytab.
    Entry for principal nfs/kvm5.deyu.wang@DEYU.WANG with kvno 2, encryption type
     des-cbc-md5 added to keytab WRFILE:/etc/kvm5.keytab.
    
  21. 產生 nfs/kvm5.deyu.wang princiapl 副本到預設檔案 /etc/kvm7.keytab。解題時此檔提供 client kvm7 下載放到 /etc/krb5.keytab。
    [root@kvm5 ~]# kadmin.local -q 'ktadd -k /etc/kvm7.keytab nfs/kvm7.deyu.wang@DEYU.WANG'
    Authenticating as principal nfs/admin@DEYU.WANG with password.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     des3-cbc-sha1 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     arcfour-hmac added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     camellia256-cts-cmac added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     camellia128-cts-cmac added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     des-hmac-sha1 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal nfs/kvm7.deyu.wang@DEYU.WANG with kvno 2, encryption type
     des-cbc-md5 added to keytab WRFILE:/etc/kvm7.keytab.
    
  22. 查看 /etc/kvm5.keytab 只有一組 keytab。
    [root@kvm5 ~]# klist -kte /etc/kvm5.keytab
    Keytab name: FILE:/etc/kvm5.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (arcfour-hmac) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       2 12/04/2015 21:04:28 nfs/kvm5.deyu.wang@DEYU.WANG (des-cbc-md5)
    
  23. 查看 /etc/kvm7.keytab 只有一組 keytab。
    [root@kvm5 ~]# klist -kte /etc/kvm7.keytab
    Keytab name: FILE:/etc/kvm7.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (arcfour-hmac) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       2 12/04/2015 21:04:31 nfs/kvm7.deyu.wang@DEYU.WANG (des-cbc-md5)
    
  24. 查看 /etc/krb5.keytab 已產生。
    [root@kvm5 ~]# ll /etc/krb5.keytab 
    -rw-------. 1 root root 562 Sep  4 11:56 /etc/krb5.keytab
    
  25. 因為用戶 deyu3 必須可以寫入 nfs 安全掛載的目錄,因此增加 deyu3@DEYU.WANG princpal。
    [root@kvm5 ~]# kadmin.local -q "addprinc -pw 123qwe deyu3@DEYU.WANG"
    Authenticating as principal nfs/admin@DEYU.WANG with password.
    WARNING: no policy specified for deyu3@DEYU.WANG; defaulting to no policy
    Principal "deyu3@DEYU.WANG" created.
    
  26. 將 deyu3@DEYU.WANG 的 princpal 累加到 /etc/kvm7.keytab,以提供 kvm7.deyu.wang 下載使用。
    [root@kvm5 ~]# kadmin.local -q 'ktadd -k /etc/kvm7.keytab deyu3@DEYU.WANG'Authenticating as principal nfs/admin@DEYU.WANG with password.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/kvm7.keytab.
    Entry for principal deyu3@DEYU.WANG with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/etc/kvm7.keytab.
    
  27. 查看 /etc/kvm7.keytab principal 除了 nfs/kvm7.deyu.wang 外,還多了 deyu3。
    [root@kvm5 ~]# klist -kte /etc/kvm7.keytab 
    Keytab name: FILE:/etc/kvm7.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (des3-cbc-sha1) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (arcfour-hmac) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (camellia256-cts-cmac) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (camellia128-cts-cmac) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (des-hmac-sha1) 
       2 12/14/2015 11:54:09 nfs/kvm7.deyu.wang@DEYU.WANG (des-cbc-md5) 
       3 12/14/2015 19:30:37 deyu3@DEYU.WANG (aes256-cts-hmac-sha1-96) 
       3 12/14/2015 19:30:37 deyu3@DEYU.WANG (aes128-cts-hmac-sha1-96) 
       3 12/14/2015 19:30:38 deyu3@DEYU.WANG (des3-cbc-sha1) 
       3 12/14/2015 19:30:38 deyu3@DEYU.WANG (arcfour-hmac) 
       3 12/14/2015 19:30:38 deyu3@DEYU.WANG (camellia256-cts-cmac) 
       3 12/14/2015 19:30:38 deyu3@DEYU.WANG (camellia128-cts-cmac) 
       3 12/14/2015 19:30:38 deyu3@DEYU.WANG (des-hmac-sha1) 
       3 12/14/2015 19:30:38 deyu3@DEYU.WANG (des-cbc-md5)
    
  28. kadmin 產生的 Principal "nfs/kvm5.deyu.wang@DEYU.WANG" 在目錄 /var/kerberos/krb5kdc 下的 principal。ktadd nfs/kvm5.deyu.wang 不指定檔案名稱下產生的 krb5.keytab 自動存在目錄 /etc 下。kadmin.local 也可產生 ktadd -k /root/krb5.keytab nfs/kvm7.deyu.wang 產生 nfs client kvm7 的 krb5.keytab 再 copy 至 kvm7 的 /etc 目錄下。 nfs kerberos 要成功掛載,這三個檔案產生後若要移至其他機器,必須同時配對,只要任何一個檔案變動過就無法成功掛載。因此,雖將製作好的 nfs server 及 client krb5.keytab 供架設下載,nfs server 還是要安裝 krb5-server 且設定必須與製作 keytab 時一樣,更重要的是產生的 principal 也要用原製作 keytab 時的 principal 覆蓋才可以。
    [root@kvm5 ~]# ll /var/kerberos/krb5kdc/
    total 32
    -rw-------. 1 root root    20 Aug 30 20:06 kadm5.acl
    -rw-------. 1 root root   484 Aug 30 20:06 kdc.conf
    -rw-------. 1 root root 16384 Aug 30 20:06 principal
    -rw-------. 1 root root  8192 Aug 30 20:06 principal.kadm5
    -rw-------. 1 root root     0 Aug 30 20:06 principal.kadm5.lock
    -rw-------. 1 root root     0 Aug 30 20:06 principal.ok
    


next up previous contents
Next: NFS Server 架設 Up: Network File System, NFS Previous: NFS 簡介   Contents
De-Yu Wang 2018-09-07