隶属于文章系列:大数据安全实战 https://www.jianshu.com/p/76627fd8399c
安装
java环境
使用java 安全类库,要替换自带的。
下载jce_policy-8.zip后:
ansible all --become -m shell -a "ls -l /mnt/kbdsproject/jdk/jre/lib/security/"
ansible all --become -m shell -a "rm -f /mnt/kbdsproject/jdk/jre/lib/security/US_export_policy.jar"
ansible all --become -m shell -a "rm -f /mnt/kbdsproject/jdk/jre/lib/security/local_policy.jar
rz -be
unzip jce_policy-8.zip
cd UnlimitedJCEPolicyJDK8/
ll
ansible all -m copy -a "scr=/home/hadoop/UnlimitedJCEPolicyJDK8/local_policy.jar dest=/mnt/kbdsproject/jdk/jre/lib/security/"
ansible all --become -m copy -a "scr=/home/hadoop/UnlimitedJCEPolicyJDK8/local_policy.jar dest=/mnt/kbdsproject/jdk/jre/lib/security/"
ansible all --become -m copy -a "src=/home/hadoop/UnlimitedJCEPolicyJDK8/local_policy.jar dest=/mnt/kbdsproject/jdk/jre/lib/security/"
ansible all --become -m copy -a "src=/home/hadoop/UnlimitedJCEPolicyJDK8/US_export_policy.jar dest=/mnt/kbdsproject/jdk/jre/lib/security/"
配置
服务端
more /etc/krb5.conf
使用已经部署的KDC,怎么管理呢?F
[root@v-app2-cloud krb5kdc]# kadmin.local -r KDBS.COM -p kadmin/admin@KDBS.COM
Authenticating as principal kadmin/admin@KDBS.COM with password.
kadmin.local: Cannot find master key record in database while initializing kadmin.local interface
解决方法:
重新执行创建数据库
还是不行:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
#default_tgs_enctypes = des3-hmac-sha1
#default_tkt_enctypes = des3-hmac-sha1
#permitted_enctypes = des3-hmac-sha1
#default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
#default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
#permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
TT.COM = {
kdc = v-app2-cloud.sz.kingdee.net
admin_server = v-app2-cloud.sz.kingdee.net
database_module = openldap_ldapconf
}
TT.COM = {
kdc = v-app2-cloud.sz.kingdee.net
admin_server = v-app2-cloud.sz.kingdee.net
database_module = openldap_ldapconf
}
[domain_realm]
.sz.kingdee.net = TT.COM
sz.kingdee.net = TT.COM
kingdee.gbl = TT.COM
.kingdee.gbl = TT.COM
[dbdefaults]
ldap_kerberos_container_dn = "cn=krbcontainer,dc=javachen,dc=com"
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=krbcontainer,dc=javachen,dc=com"
ldap_kdc_dn = uid=ldapadmin,ou=people,dc=javachen,dc=com
ldap_kadmind_dn = uid=ldapadmin,ou=people,dc=javachen,dc=com
#ldap_kdc_dn = uid=krb5kdc,ou=people,dc=javachen,dc=com
#ldap_kadmind_dn = uid=kadmind,ou=people,dc=javachen,dc=com
ldap_service_password_file = /var/kerberos/krb5kdc/ldap.stash
ldap_servers = ldap://172.20.176.171/
ldap_conns_per_server = 5
}
kdc.conf
[root@v-app2-cloud krb5kdc]# more kdc.conf
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TT.COM = {
master_key_type = aes256-cts-hmac-sha1-96
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
}
KDBS.COM = {
master_key_type = aes256-cts-hmac-sha1-96
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5-kbds.keytab
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal
}
[dbdefaults]
ldap_kerberos_container_dn = "cn=krbcontainer,dc=javachen,dc=com"
[dbmodules]
openldap_ldapconf = {
db_library = kldap
#ldap_kdc_dn = uid=krb5kdc,ou=people,dc=javachen,dc=com
#ldap_kadmind_dn = uid=kadmind,ou=people,dc=javachen,dc=com
ldap_kdc_dn = uid=ldapadmin,ou=people,dc=javachen,dc=com
ldap_kadmind_dn = uid=ldapadmin,ou=people,dc=javachen,dc=com
ldap_service_password_file = /var/kerberos/krb5kdc/ldap.stash
ldap_servers = ldap://172.20.176.171/
ldap_conns_per_server = 5
}
客户端
- 安装
yum install krb5-workstation
- 修改 /etc/krb5.conf,跟服务端一样
