This is the 26th day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021

preface

In Kerberso, the Account and password of all tenants are stored in the Account Database (AD for short) so that when a user uses KINit authentication, KDC checks the AD for the user’s existence.

Account Database

New Account Database

Run the following command on the server to create an AD.

kdb5_util create -s -r [realm]
Copy the code

  1. After successful execution, a series of server configuration files are generated in the /var/kerberos/krb5kdc directory

  2. -s generates the Stash file and stores the Master Server key in it, and -r specifies the realm

Add the Database Administrator

An administrator needs to be added for each database, and AD is no exception. Database Administrator is also a principal, but a principal that manages the Database

Use the following command to create the principal of the database administrator:

kadmin.local-q"addprinc admin/admin"
Copy the code

Example Set the Access ControlList (ACL) permission of the AD

Write l to /[email protected] in the kadm5.ac file.

  1. The kadmin Daemon uses this file to manage access to the AD
  2. The principal whose name matches that of */[email protected] is assumed to be admin and the permission is *
  3. These Admins can operate on other principals

Start the deamon:

Systemctl startKadmin. service systemctl startKrb5kdC.service

Installing the Client

Install the software

yum install -y krb5-workstation krb5-libs krb5-auth-dialog
Copy the code

The configuration file

Copy the server’s /etc/krb5.conf file to the client

AD operation

In the AD

  1. The root user can log in to the KDC server through kadmin.local (aroot/[email protected]).
  2. The Client uses kinit for authentication, kinit admin/admin, and then kadmin for login

The kadmin command

  1. Addprinc test: Adds principal
  2. Delprinc test: describes the principal
  3. Listprincs: View the list of principals

Generate the keytab file in kadmin

Run the following command to generate the keytab files required by each user.

xst-k/path/name.keytabprincipal
Copy the code

kinit

Kinit-r: extend the expiration time of TGTS, if not, perhaps renewlife to 0days

  1. If you want to renew a ticket after it has expired, you can either renew a ticket (requiring a password) or renew a ticket (requiring no password). Each time you renew a ticket, you can extend a lifetime
  2. The renew operation also has lifetime, that is, the ticket Renew Lifetime. Renew can only be performed within this lifetime
  3. If max_renewable_life=0, a new ticket will be obtained when the client ticket_lifetime ends
  4. Kinit -r xxx.keytab: Renew within renewable_life