This is an old revision of the document!
server# kadmin -l kadmin> add user1 ... user1@CORPX.UN's Password: kpassword1 Verifying - user@CORPX.UN's Password: kpassword1 ... kadmin> add user2 ... kadmin> list * kadmin> quit
root@server:~# kadmin.local kadmin.local: addprinc user1 ... Enter password for principal "user1@CORPX.UN": kpassword1 Re-enter password for principal "user1@CORPX.UN": kpassword1 ... kadmin.local: addprinc user2 ... kadmin.local: listprincs ... user1@CORPX.UN ... kadmin.local: quit
server# kinit user1 server# klist server# kdestroy gate# kinit user1 gate# klist gate# kdestroy client1# kinit user1 client1# klist client1# kdestroy
GSSAPI Generic Security Services Application Program Interface
server# kadmin -l kadmin> add -r host/gate.corpX.un ... kadmin> list * kadmin> ext -k gatehost.keytab host/gate.corpX.un kadmin> quit server# scp gatehost.keytab gate:
root@server:~# kadmin.local kadmin.local: addprinc -randkey host/gate.corpX.un ... kadmin.local: listprincs kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un ... kadmin.local: quit server# scp gatehost.keytab gate:
Добавляем пользователя в AD
Login: gatehost Password: Pa$$w0rd
Пароль не меняется и не устаревает
Устанавливаем Microsoft Windows Support Tools
C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab C:\>pscp gatehost.keytab gate:
gate# ktutil copy /root/gatehost.keytab /etc/krb5.keytab gate# touch /etc/srvtab gate# ktutil list ...
root@gate:~# ktutil ktutil: rkt /root/gatehost.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: quit root@gate:~# klist -ek /etc/krb5.keytab
gate# ktutil remove -p 'HTTP/gate.CORPX.UN@CORPX.UN'
gate# cat /etc/ssh/sshd_config ... GSSAPIAuthentication yes ...
client1# cat /etc/ssh/ssh_config ... GSSAPIAuthentication yes ...
Hostname: user1@gate.corpX.un SSH->Auth-Attempt GSSAPI...
[client1:~] # cat /etc/pam.d/system ... # auth ... auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok ...
root@client1:~# apt-get install libpam-krb5
все настроится автоматически
root@client1:~# cd /etc/pam.d/ root@client1:/etc/pam.d/# grep krb5 * ...
user1@client1$ ssh -vv gate.corpX.un gate# /usr/sbin/sshd -d
!!! Необходимо все системы корректно прописать в прямой и реверс зоне DNS !!! ???
server# kadmin -l kadmin> add host/client2.corpX.un ... Pa$$w0rd ... kadmin> list * kadmin>
root@server:~# kadmin.local kadmin.local: addprinc -e rc4-hmac:normal host/client2.corpX.un ... Enter password for principal "host/client2.corpX.un@CORPX.UN": Pa$$w0rd ... kadmin.local: listprincs kadmin.local: