Date: Fri, 29 Mar 2024 03:28:37 +0100 (CET) Message-ID: <1654718376.349.1711679317744@confluence-esup.uphf.fr> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_348_1869181171.1711679317744" ------=_Part_348_1869181171.1711679317744 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Cette page montre comment installer deux serveurs Kerberos redon= dants (kerb1 le ma=C3=AEtre et kerb2 l'es= clave).
Nom du serveur |
kerb1.univ-rennes1.fr |
Syst=C3=A8me |
RedHat Entreprise 5 |
Ouverture de ports |
ssh (22 tcp) |
Configurer la synchronisation de l'horloge sur le serveur ntp.un= iv-rennes1.fr (cf /etc/ntp.conf) et s'assurer que= le d=C3=A9mon ntpd est en marche :
[root@k= erb1 ~]# chkconfig ntpd on [root@kerb1 ~]# service ntpd start ntpd: Synchronizing with time server: [ OK ] Syncing hardware clock to system time [ OK ] Starting ntpd: [ OK ] [root@kerb1 ~]#
Editer le fichier /etc/krb5.conf :
[loggin= g] default =3D FILE:/var/log/krb5libs.log kdc =3D FILE:/var/log/krb5kdc.log admin_server =3D FILE:/var/log/kadmind.log [libdefaults] default_realm =3D UNIV-RENNES1.FR dns_lookup_realm =3D false dns_lookup_kdc =3D false ticket_lifetime =3D 24h forwardable =3D yes [realms] UNIV-RENNES1.FR =3D { kdc =3D kerb1.univ-rennes1.fr:88 admin_server =3D kerb1.univ-rennes1.fr:749 default_domain =3D univ-rennes1.fr } [domain_realm] .univ-rennes1.fr =3D UNIV-RENNES1.FR univ-rennes1.fr =3D UNIV-RENNES1.FR [appdefaults] pam =3D { debug =3D false ticket_lifetime =3D 36000 renew_lifetime =3D 36000 forwardable =3D true krb4_convert =3D false }
Installer le package krb5-server (yum install k= rb5-server).
Editer le fichier /var/kerberos/krb5kdc/kdc.conf :
[kdcdef= aults] v4_mode =3D nopreauth kdc_ports =3D 88,750 kdc_tcp_ports =3D 88 [realms] UNIV-RENNES1.FR =3D { #master_key_type =3D des3-hmac-sha1 acl_file =3D /var/kerberos/krb5kdc/kadm5.acl dict_file =3D /usr/share/dict/words admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal des-hmac= -sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-c= rc:afs3 }
Editer le fichier /var/kerberos/krb5kdc/kadm5.acl :
*/admin= @UNIV-RENNES1.FR=09*
Cr=C3=A9er la base Kerberos :
[root@k= erb1 ~]# kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'UNIV-REN= NES1.FR', master key name 'K/M@UNIV-RENNES1.FR' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: [root@kerb1 ~]#
Ajouter le premier utilisateur (root/admin) :
[root@k= erb1 ~]# kadmin.local -q "addprinc root/admin" Authenticating as principal root/admin@UNIV-RENNES1.FR with password. WARNING: no policy specified for root/admin@UNIV-RENNES1.FR; defaulting to = no policy Enter password for principal "root/admin@UNIV-RENNES1.FR": Re-enter password for principal "root/admin@UNIV-RENNES1.FR": Principal "root/admin@UNIV-RENNES1.FR" created. [root@kerb1 ~]#
D=C3=A9marrer les services :
[root@k= erb1 ~]# chkconfig kadmin on [root@kerb1 ~]# service kadmin start Starting Kerberos 5 Admin Server: [ OK ] [root@kerb1 ~]# chkconfig krb5kdc on [root@kerb1 ~]# service krb5kdc start Starting Kerberos 5 KDC: [ OK ] [root@kerb1 ~]#
V=C3=A9rification en affichant la liste des principals :
[root@k= erb1 ~]# kadmin -p root/admin Authenticating as principal root/admin with password. Password for root/admin@UNIV-RENNES1.FR: kadmin: listprincs K/M@UNIV-RENNES1.FR kadmin/admin@UNIV-RENNES1.FR kadmin/changepw@UNIV-RENNES1.FR kadmin/history@UNIV-RENNES1.FR kadmin/localhost.localdomain@UNIV-RENNES1.FR krbtgt/UNIV-RENNES1.FR@UNIV-RENNES1.FR root/admin@UNIV-RENNES1.FR kadmin: exit [root@kerb1 ~]#
Nom du serveur |
kerb2.univ-rennes1.fr |
Syst=C3=A8me |
RedHat Entreprise 5 |
Ouverture de ports |
ssh (22 tcp) |
Installer le package krb5-server, puis r=C3=A9p=C3=A9ter toutes les op= =C3=A9rations faites sur le serveur kerb1, seule l'ouvertu= re du port 749 n'est pas n=C3=A9cessaire.
Pour aller plus vite, copier les fichiers /etc/krb5.conf, /var/kerberos/krb5kdc/kdc.conf et /var/kerberos= /krb5kdc/kadm5.acl depuis le serveur kerb1 :
[root@k= erb2 ~]# scp root@kerb1:/etc/krb5.conf /etc root@kerb1's password: krb5.conf 100% 638 0.6KB/= s 00:00 [root@kerb2 ~]# scp root@kerb1:/var/kerberos/krb5kdc/kdc.conf /var/kerberos= /krb5kdc/ root@kerb1's password: kdc.conf 100% 414 0.4KB/= s 00:00 [root@kerb2 ~]# scp rootifsic@kerb1:/var/kerberos/krb5kdc/kadm5.acl /var/ke= rberos/krb5kdc/ root@kerb1's password: kadm5.acl 100% 26 0.0KB/= s 00:00 [root@kerb2 ~]#
Et modifier la partie realms du fichier /etc/kr= b5.conf (remplacer kerb1 par kerb2):
[realms= ] UNIV-RENNES1.FR =3D { kdc =3D kerb2.univ-rennes1.fr:88 admin_server =3D kerb2.univ-rennes1.fr:749 default_domain =3D univ-rennes1.fr }
Cr=C3=A9er la base Kerberos, ajouter le premier utilisateur (roo= t/admin), d=C3=A9marrer les services et v=C3=A9rifier le fonctionn= ement en affichant les principals.
Sur le serveur ma=C3=AEtre, cr=C3=A9er les cl=C3=A9s des serveurs
[root@k= erb1 ~]# kadmin -p root/admin Authenticating as principal root/admin with password. Password for root/admin@UNIV-RENNES1.FR: kadmin: addprinc -randkey host/kerb1.univ-rennes1.fr WARNING: no policy specified for host/kerb1.univ-rennes1.fr@UNIV-RENNES1.FR= ; defaulting to no policy Principal "host/kerb1.univ-rennes1.fr@UNIV-RENNES1.FR" created. kadmin: addprinc -randkey host/kerb2.univ-rennes1.fr WARNING: no policy specified for host/kerb2.univ-rennes1.fr@UNIV-RENNES1.FR= ; defaulting to no policy Principal "host/kerb2.univ-rennes1.fr@UNIV-RENNES1.FR" created. kadmin: ktadd host/kerb1.univ-rennes1.fr Entry for principal host/kerb1.univ-rennes1.fr with kvno 3, encryption type= Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab= . Entry for principal host/kerb1.univ-rennes1.fr with kvno 3, encryption type= ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kerb1.univ-rennes1.fr with kvno 3, encryption type= DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kerb1.univ-rennes1.fr with kvno 3, encryption type= DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: ktadd host/kerb2.univ-rennes1.fr Entry for principal host/kerb2.univ-rennes1.fr with kvno 3, encryption type= Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab= . Entry for principal host/kerb2.univ-rennes1.fr with kvno 3, encryption type= ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kerb2.univ-rennes1.fr with kvno 3, encryption type= DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/kerb2.univ-rennes1.fr with kvno 3, encryption type= DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: exit [root@kerb1 ~]#
Sur le serveur esclave, copier le fichier /etc/krb5.keytab :
[root@k= erb2 ~]# scp root@kerb1.univ-rennes1.fr:/etc/krb5.keytab /etc krb5.keytab 100% 634 0.6KB/= s 00:00 [root@kerb2 ~]#
Sur le serveur esclave, =C3=A9diter le fichier /var/kerber=
os/krb5kdc/kpropd.acl de la mani=C3=A8re suivante :
host/ke= rb1.univ-rennes1.fr@UNIV-RENNES1.FR host/kerb2.univ-rennes1.fr@UNIV-RENNES1.FR
Et d=C3=A9marrer le service kpropd :
[root@k= erb2 ~]# chkconfig kprop on [root@kerb2 ~]# service kprop start Starting Kerberos 5 Propagation Server: [ OK ] [root@kerb2 ~]#
Sur le serveur ma=C3=AEtre, cr=C3=A9er le script /usr/local/bin/= krb5prop.sh :
[root@k= erb1 ~]# cat > /usr/local/bin/krb5prop.sh #!/bin/sh /usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans /usr/kerberos/sbin/kprop -f /var/kerberos/krb5kdc/slave_datatrans kerb2.uni= v-rennes1.fr > /dev/null [root@kerb1 ~]# chmod 700 /usr/local/bin/krb5prop.sh [root@kerb1 ~]#
Ex=C3=A9cuter le script =C2=AB =C3=A0 la main =C2=BB :
[root@k= erb1 ~]# /usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_data= trans [root@kerb1 ~]# /usr/kerberos/sbin/kprop -f /var/kerberos/krb5kdc/slave_dat= atrans kerb2.univ-rennes1.fr Database propagation to kerb2.univ-rennes1.fr: SUCCEEDED [root@kerb1 ~]#
Pour v=C3=A9rifier la bonne propagation des principals, ajouter= un principal fictif sur le serveur ma=C3=AEtre et propager vers l= e serveur esclave :
[root@k= erb1 ~]# kadmin -p root/admin Authenticating as principal root/admin with password. Password for root/admin@UNIV-RENNES1.FR: kadmin: addprinc dummy WARNING: no policy specified for dummy@UNIV-RENNES1.FR; defaulting to no po= licy Enter password for principal "dummy@UNIV-RENNES1.FR": Re-enter password for principal "dummy@UNIV-RENNES1.FR": Principal "dummy@UNIV-RENNES1.FR" created. kadmin: exit [root@kerb1 ~]# /usr/local/bin/krb5prop.sh [root@kerb1 ~]#
Sur le serveur esclave, v=C3=A9rifier la pr=C3=A9sence du nouveau princi= pal :
[root@k= erb2 ~]# kadmin.local -q "listprincs" Authenticating as principal rootifsic/admin@UNIV-RENNES1.FR with password. K/M@UNIV-RENNES1.FR dummy@UNIV-RENNES1.FR host/kerb1.univ-rennes1.fr@UNIV-RENNES1.FR host/kerb2.univ-rennes1.fr@UNIV-RENNES1.FR kadmin/admin@UNIV-RENNES1.FR kadmin/changepw@UNIV-RENNES1.FR kadmin/history@UNIV-RENNES1.FR kadmin/localhost.localdomain@UNIV-RENNES1.FR krbtgt/UNIV-RENNES1.FR@UNIV-RENNES1.FR root/admin@UNIV-RENNES1.FR [root@kerb2 ~]#
Ne pas oublier de supprimer le principal fictif ensuite (kadmin.= local -q "delprinc dummy" sur kerb1).
Modifier le fichier /etc/crontab pour faire en sorte qu= e la synchronisation entre les deux KDCs soient effectu=C3=A9e de mani=C3= =A8re automatique toutes les 5 minutes (par exemple) :
*/5 * *= * * /usr/local/bin/krb5prop.sh
Les deux serveurs kerb1 et kerb2 sont = maintenant install=C3=A9s.
La gestion des principals peut se faire =C3=A0 distance =C3=A0 = l'aide kadmin depuis une machine d'administration (de conf= iance).
Pour cela, depuis la machine d'administration, on g=C3=A9n=C3=A8re un
[root@a= dmin ~]# kadmin -p root/admin Authenticating as principal root/admin with password. Password for root/admin@UNIV-RENNES1.FR: kadmin: addprinc -randkey manager/admin WARNING: no policy specified for manager/admin@UNIV-RENNES1.FR; defaulting = to no policy Principal "manager/admin@UNIV-RENNES1.FR" created. kadmin: ktadd -k /etc/manager.keytab manager/admin Entry for principal manager/admin with kvno 3, encryption type Triple DES c= bc mode with HMAC/sha1 added to keytab WRFILE:/etc/manager.keytab. Entry for principal manager/admin with kvno 3, encryption type ArcFour with= HMAC/md5 added to keytab WRFILE:/etc/manager.keytab. Entry for principal manager/admin with kvno 3, encryption type DES with HMA= C/sha1 added to keytab WRFILE:/etc/manager.keytab. Entry for principal manager/admin with kvno 3, encryption type DES cbc mode= with RSA-MD5 added to keytab WRFILE:/etc/manager.keytab. kadmin: exit [root@admin ~]#
On utilise ensuite la commande kadmin -p manager/admin -k -t /et= c/manager.keytab -q "commande_kadmin" pour ex=C3=A9cuter la comman= de commande_kadmin. Par exemple :
[root@a= dmin ~]# kadmin -p manager/admin -k -t /etc/manager.keytab -q "listprincs" Authenticating as principal manager/admin with keytab /etc/manager.keytab. HTTP/cas-kerb.univ-rennes1.fr@UNIV-RENNES1.FR K/M@UNIV-RENNES1.FR cas/admin@UNIV-RENNES1.FR host/cas-kerb.univ-rennes1.fr@UNIV-RENNES1.FR host/clinux.ifsic.univ-rennes1.fr@UNIV-RENNES1.FR host/cwinxp.ifsic.univ-rennes1.fr@UNIV-RENNES1.FR host/kerb1.univ-rennes1.fr@UNIV-RENNES1.FR host/kerb2.univ-rennes1.fr@UNIV-RENNES1.FR kadmin/admin@UNIV-RENNES1.FR kadmin/changepw@UNIV-RENNES1.FR kadmin/history@UNIV-RENNES1.FR kadmin/localhost.localdomain@UNIV-RENNES1.FR krbtgt/UNIV-RENNES1.FR@UNIV-RENNES1.FR manager/admin@UNIV-RENNES1.FR paubry@UNIV-RENNES1.FR root/admin@UNIV-RENNES1.FR [root@admin ~]#
On pourra =C3=A9crire un script /usr/local/bin/kexec po= ur ex=C3=A9cuter plus facilement les commandes sous kadmin= :
[root@a= dmin ~]# cd /usr/local/bin [root@admin bin]# cat > kexec #!/bin/bash kadmin -p manager/admin -k -t /etc/manager.keytab -q "$*" [root@admin bin]# chown root.root kexec [root@admin bin]# chmod 700 kexec [root@admin bin]#
La r=C3=A9cup=C3=A9ration d'un principal dupont dans la base Kerberos po= urra ainsi se faire par :
[root@a= dmin bin]# kexec getprinc dupont Authenticating as principal manager/admin with keytab /etc/manager.keytab. Principal: dupont@UNIV-RENNES1.FR Expiration date: [never] Last password change: Wed Mar 10 12:23:31 CET 2010 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Wed Mar 10 12:23:31 CET 2010 (cas/admin@UNIV-RENNES1.FR) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES with HMAC/sha1, no salt Key: vno 1, DES cbc mode with RSA-MD5, no salt Key: vno 1, DES cbc mode with CRC-32, Version 4 Key: vno 1, DES cbc mode with CRC-32, AFS version 3 Attributes: Policy: [none] [root@admin bin]#