This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
аутентификация_с_использованием_kerberos_сервера [2010/09/24 12:45] val |
аутентификация_с_использованием_kerberos_сервера [2010/09/29 10:26] val |
||
---|---|---|---|
Line 141: | Line 141: | ||
</code> | </code> | ||
- | ===== Cинхронизация времени ===== | + | ===== Cинхронизация времени (может потребоваться рестарт служб NIS, NFS и RPCBIND) ===== |
==== FreeBSD ==== | ==== FreeBSD ==== | ||
Line 157: | Line 157: | ||
# date 040708422015 | # date 040708422015 | ||
Tue Apr 7 08:42:00 MSD 2015 | Tue Apr 7 08:42:00 MSD 2015 | ||
- | </code> | ||
- | |||
- | ===== Перезапуск служб NIS, NFS и RPCBIND ===== | ||
- | |||
- | ==== FreeBSD ==== | ||
- | <code> | ||
- | [server:~] # /etc/rc.d/nfsd stop | ||
- | [server:~] # /etc/rc.d/mountd stop | ||
- | [server:~] # /etc/rc.d/ypserv stop | ||
- | |||
- | [server:~] # /etc/rc.d/rpcbind restart | ||
- | |||
- | [server:~] # /etc/rc.d/ypserv start | ||
- | [server:~] # /etc/rc.d/mountd start | ||
- | [server:~] # /etc/rc.d/nfsd start | ||
- | </code> | ||
- | |||
- | ==== Ubuntu ==== | ||
- | <code> | ||
- | |||
</code> | </code> | ||
Line 230: | Line 210: | ||
</code> | </code> | ||
- | ==== Регистрация принципала пользователя в базе данных kerberos ==== | + | ==== Регистрация принципалов пользователей в базе данных kerberos ==== |
=== FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
Line 239: | Line 219: | ||
user1@CORPX.UN's Password: kpassword1 | user1@CORPX.UN's Password: kpassword1 | ||
Verifying - user@CORPX.UN's Password: kpassword1 | Verifying - user@CORPX.UN's Password: kpassword1 | ||
+ | ... | ||
+ | kadmin> add user2 | ||
+ | ... | ||
kadmin> list * | kadmin> list * | ||
Line 251: | Line 234: | ||
kadmin.local: addprinc user1 | kadmin.local: addprinc user1 | ||
... | ... | ||
- | Enter password for principal "user@CORPX.UN": kpassword1 | + | Enter password for principal "user1@CORPX.UN": kpassword1 |
- | Re-enter password for principal "user@CORPX.UN": kpassword1 | + | Re-enter password for principal "user1@CORPX.UN": kpassword1 |
+ | ... | ||
+ | kadmin.local: addprinc user2 | ||
+ | ... | ||
kadmin.local: listprincs | kadmin.local: listprincs | ||
... | ... | ||
Line 276: | Line 261: | ||
</code> | </code> | ||
- | ===== Настройка Kerberos клиента ===== | + | ===== Настройка Kerberos клиента (на gate и client1) ===== |
==== Инсталляция клиента ==== | ==== Инсталляция клиента ==== | ||
Line 309: | Line 294: | ||
===== Использование протокола GSSAPI для сервиса sshd ===== | ===== Использование протокола GSSAPI для сервиса sshd ===== | ||
+ | |||
Generic Security Services Application Program Interface | Generic Security Services Application Program Interface | ||
Line 337: | Line 323: | ||
=== FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
<code> | <code> | ||
- | kadmin> ext -k gate.keytab host/gate.corpX.un | + | kadmin> ext -k gatehost.keytab host/gate.corpX.un |
kadmin> quit | kadmin> quit | ||
</code> | </code> | ||
Line 343: | Line 329: | ||
=== Ubuntu (10.04) === | === Ubuntu (10.04) === | ||
<code> | <code> | ||
- | kadmin.local: ktadd -k gate.keytab host/gate.corpX.un | + | kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un |
... | ... | ||
... | ... | ||
Line 352: | Line 338: | ||
=== FreeBSD, Ubuntu === | === FreeBSD, Ubuntu === | ||
<code> | <code> | ||
- | server# scp gate.keytab student@gate: | + | server# scp gatehost.keytab student@gate: |
</code> | </code> | ||
=== FreeBSD, Ubuntu (8.04) === | === FreeBSD, Ubuntu (8.04) === | ||
<code> | <code> | ||
- | gate# ktutil copy /usr/student/gate.keytab /etc/krb5.keytab | + | gate# ktutil copy /usr/student/gatehost.keytab /etc/krb5.keytab |
gate# touch /etc/srvtab | gate# touch /etc/srvtab | ||
Line 368: | Line 354: | ||
<code> | <code> | ||
root@gate:~# ktutil | root@gate:~# ktutil | ||
- | ktutil: rkt /usr/student/gate.keytab | + | ktutil: rkt /usr/student/gatehost.keytab |
ktutil: list | ktutil: list | ||
ktutil: wkt /etc/krb5.keytab | ktutil: wkt /etc/krb5.keytab | ||
Line 386: | Line 372: | ||
==== Настройка клиента ssh на использование GSSAPI ==== | ==== Настройка клиента ssh на использование GSSAPI ==== | ||
<code> | <code> | ||
- | server# cat /etc/ssh/ssh_config | + | client1# cat /etc/ssh/ssh_config |
... | ... | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
Line 398: | Line 384: | ||
=== FreeBSD === | === FreeBSD === | ||
<code> | <code> | ||
- | [server:~] # cat /etc/pam.d/system | + | [client1:~] # cat /etc/pam.d/system |
... | ... | ||
# auth | # auth | ||
Line 410: | Line 396: | ||
=== Ubuntu (8.04) === | === Ubuntu (8.04) === | ||
<code> | <code> | ||
- | root@server:~# apt-get install libpam-heimdal | + | root@client1:~# apt-get install libpam-heimdal |
</code> | </code> | ||
=== Ubuntu (10.04) === | === Ubuntu (10.04) === | ||
<code> | <code> | ||
- | root@server:~# apt-get install libpam-krb5 | + | root@client1:~# apt-get install libpam-krb5 |
</code> | </code> | ||
- | === Ubuntu === | + | === Ubuntu (все настроится автоматически) === |
<code> | <code> | ||
- | root@server:~# cat /etc/pam.d/login | + | root@client1:~# cd /etc/pam.d/ |
- | ... | + | root@client1:/etc/pam.d/# grep krb5 * |
- | auth sufficient pam_krb5.so | + | |
- | # Standard Un*x authentication. | + | |
... | ... | ||
</code> | </code> | ||
Line 429: | Line 413: | ||
===== Отладка ===== | ===== Отладка ===== | ||
<code> | <code> | ||
- | user@server$ ssh -vv gate.corpX.un | + | user1@client1$ ssh -vv gate.corpX.un |
gate# /usr/sbin/sshd -d | gate# /usr/sbin/sshd -d | ||
- | </code> | ||
- | |||
- | ===== Нюансы ===== | ||
- | <code> | ||
- | kadmin.local: addprinc -e rc4-hmac:normal -randkey cifs/server.example.com | ||
- | |||
- | kadmin.local: ktadd -k cifs.server.example.com.keytab -e rc4-hmac:normal cifs/server.example.com | ||
- | |||
- | kadmin.local: ank -e rc4-hmac:normal -randkey imap/gate.CORP13.UN@CORP13.UN | ||
</code> | </code> | ||