0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

AL2023 Kerberosサーバ立ち上げ備忘録

Posted at

本記事はあるテストのためにKerberosサーバを立ち上げるだけで、本番環境を想定していません。

とにかく疎通確認ができただけで操作の根拠等は記載しません。
(自分でもよくわかっていない点もある)

参考:https://www.youtube.com/watch?v=YRLEapMDZmU

前提

  • すべての操作はrootユーザで行う
  • AWSのEC2マシン間で通信ができる

サーバ側手順

1.Kerberos関連パッケージのインストール

# dnf install krb5-server krb5-libs krb5-workstation
Last metadata expiration check: 0:03:10 ago on Wed Jul 17 09:49:14 2024.
Package krb5-libs-1.21-3.amzn2023.0.4.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================
 Package                        Architecture         Version                            Repository                 Size
========================================================================================================================
Installing:
 krb5-server                    x86_64               1.21-3.amzn2023.0.4                amazonlinux               298 k
 krb5-workstation               x86_64               1.21-3.amzn2023.0.4                amazonlinux               499 k
Installing dependencies:
 krb5-pkinit                    x86_64               1.21-3.amzn2023.0.4                amazonlinux                62 k
 libkadm5                       x86_64               1.21-3.amzn2023.0.4                amazonlinux                79 k

Transaction Summary
========================================================================================================================
Install  4 Packages

このとき、依存関係として勝手にkrb5-pkinitがインストールされるが、これがあると別途自己証明書などを発行する必要があるため、依存関係を無視して削除する。

# rpm --nodeps -e krb5-pkinit

2.DB作成

# kdb5_util create -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:<任意のパスワード>
Re-enter KDC database master key to verify:<任意のパスワード>

3.hostnameの変更

# hostnamectl set-hostname hogefuga.sample.com

※このとき、google.comなどインターネット上の検索に引っかかる名前にするとうまく動かない。

4./etc/krb5.confの修正

ポイント
kdcとadmin_serverの値は3で設定したホスト名を入れる。

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    # spake_preauth_groups = edwards25519
    # dns_canonicalize_hostname = fallback
    # qualify_shortname = ""
    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
     kdc = hogefuga.sample.com
     admin_server = hogefuga.sample.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

5.起動

 # systemctl enable krb5kdc kadmin
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.
# systemctl start krb5kdc kadmin

6.Adminプリンシパルの追加

# kadmin.local
Authenticating as principal ec2-user/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc admin/admin
No policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM":<任意のパスワード>
Re-enter password for principal "admin/admin@EXAMPLE.COM":<任意のパスワード>
Principal "admin/admin@EXAMPLE.COM" created.

7.ローカルで疎通確認

# systemctl restart krb5kdc kadmin

# kadmin -p admin/admin@EXAMPLE.COM
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Password for admin/admin@EXAMPLE.COM:<5で設定したパスワード>
kadmin:  listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM

クライアント手順

1.Kerberos関連パッケージのインストール

krb5-serverは不要。

# dnf install krb5-libs krb5-workstation
Last metadata expiration check: 0:04:42 ago on Wed Jul 17 10:13:47 2024.
Package krb5-libs-1.21-3.amzn2023.0.4.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================
 Package                        Architecture         Version                            Repository                 Size
========================================================================================================================
Installing:
 krb5-workstation               x86_64               1.21-3.amzn2023.0.4                amazonlinux               499 k
Installing dependencies:
 krb5-pkinit                    x86_64               1.21-3.amzn2023.0.4                amazonlinux                62 k
 libkadm5                       x86_64               1.21-3.amzn2023.0.4                amazonlinux                79 k

Transaction Summary
========================================================================================================================
Install  3 Packages

このとき、依存関係として勝手にkrb5-pkinitがインストールされるが、これがあると別途自己証明書などを発行する必要があるため、依存関係を無視して削除する。

# rpm --nodeps -e krb5-pkinit

2./etc/krb5.confの修正

サーバと同じ内容。

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    # spake_preauth_groups = edwards25519
    # dns_canonicalize_hostname = fallback
    # qualify_shortname = ""
    default_realm = EXAMPLE.COM
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
     kdc = hogefuga.sample.com
     admin_server = hogefuga.sample.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

3./etc/hostsにサーバの情報を追記

<サーバのIPアドレス> hogefuga.sample.com

4.疎通確認

# kadmin -p admin/admin@EXAMPLE.COM
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Password for admin/admin@EXAMPLE.COM:
kadmin:  listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?