Install
1. OS (AMI Linux 2)
$ cat /etc/system-release
Amazon Linux release 2 (Karoo)
2. Installed Package
- releated krb5
- ntp
$ sudo yum list installed | grep krb
krb5-devel.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
krb5-libs.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
krb5-server.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
krb5-workstation.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
pam_krb5.x86_64 2.4.8-6.amzn2.0.2 @amzn2-core
$ sudo yum list installed | grep ntp
fontpackages-filesystem.noarch 1.44-8.amzn2 @amzn2-core
Reference
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/installing-kerberos
- https://gist.github.com/ashrithr/4767927948eca70845db
Settings
Summary
1. EC2 (2EA) - master, slave (HA)
2. DNS (Route 53, abcdef.com for sample)
- kdc.abcdef.com
- kdc2.abcdef.com
Configuration
1. /etc/krb5.conf 설정
- realm domain should upper string
$ cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
[libdefaults]
default_realm = ABCDEF.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ABCDEF.COM = {
kdc = kdc.abcdef.com:88
kdc = kdc2.abcdef.com:88
admin_server = kdc.abcdef.com:749
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
2. /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
ABCDEF.COM = {
kadmind_port = 749
max_life = 9h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /var/kerberos/krb5kdc/kadm5.dict
key_stash_file = /var/kerberos/krb5kdc/.k5.ABCDEF.COM
}
3. /var/kerberos/krb5kdc/kadm5.acl
*/admin@ABCDEF.COM *
4. Create KDC database
kdb5_util create -r ABCDEF.COM -s
5. Create KDC admin
# kadmin.local
kadmin.local: addprinc account/admin@ABCDEF.COM
NOTICE: no policy specified for "admin/admin@ABCDEF.COM";
assigning "default".
Enter password for principal admin/admin@ATHENA.MIT.EDU: (Enter a password.)
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: (Type it again.)
Principal "admin/admin@ABCDEF.COM" created.
kadmin.local:
6. KDC database Backup & Restore
- https://docs.oracle.com/cd/E19683-01/817-0365/aadmin-3/index.html
- https://docs.oracle.com/cd/E19496-01/806-1971/6jb7j7amu/index.html
Create script & run crontab & propagate to slave server
#!/bin/bash
/usr/sbin/kdb5_util dump /var/kerberos/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/slave_datatrans mgmt-krb-kdc02.abcdef.com > /dev/null
- FYI, domain information in /etc/hosts
% cat /etc/hosts
...
10.100.125.156 mgmt-krb-kdc02.abcdef.com mgmt-krb-kdc02
7. Daemon start & enable
systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service
반응형
'엔지니어' 카테고리의 다른 글
Kerberos setup - 3 (MacOS User) (907) | 2019.12.09 |
---|---|
Kerberos setup - 2 (Kerberos Client) (928) | 2019.12.09 |
OpenVPN setup - 3 (OpenVPN Client for VPC Tunnel) (1427) | 2019.12.09 |
OpenVPN setup - 2 (OpenVPN Server) (1394) | 2019.12.09 |
OpenVPN setup - 1 (AWS EC2) (1409) | 2019.12.09 |