本記事はあるテストのためにKerberosサーバを立ち上げるだけで、本番環境を想定していません。
とにかく疎通確認ができただけで操作の根拠等は記載しません。
(自分でもよくわかっていない点もある)
参考:https://www.youtube.com/watch?v=YRLEapMDZmU
前提
- すべての操作はrootユーザで行う
- AWSのEC2マシン間で通信ができる
サーバ側手順
1.Kerberos関連パッケージのインストール
# dnf install krb5-server krb5-libs krb5-workstation
Last metadata expiration check: 0:03:10 ago on Wed Jul 17 09:49:14 2024.
Package krb5-libs-1.21-3.amzn2023.0.4.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================
Installing:
krb5-server x86_64 1.21-3.amzn2023.0.4 amazonlinux 298 k
krb5-workstation x86_64 1.21-3.amzn2023.0.4 amazonlinux 499 k
Installing dependencies:
krb5-pkinit x86_64 1.21-3.amzn2023.0.4 amazonlinux 62 k
libkadm5 x86_64 1.21-3.amzn2023.0.4 amazonlinux 79 k
Transaction Summary
========================================================================================================================
Install 4 Packages
このとき、依存関係として勝手にkrb5-pkinit
がインストールされるが、これがあると別途自己証明書などを発行する必要があるため、依存関係を無視して削除する。
# rpm --nodeps -e krb5-pkinit
2.DB作成
# kdb5_util create -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:<任意のパスワード>
Re-enter KDC database master key to verify:<任意のパスワード>
3.hostnameの変更
# hostnamectl set-hostname hogefuga.sample.com
※このとき、google.comなどインターネット上の検索に引っかかる名前にするとうまく動かない。
4./etc/krb5.confの修正
ポイント
kdcとadmin_serverの値は3で設定したホスト名を入れる。
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# spake_preauth_groups = edwards25519
# dns_canonicalize_hostname = fallback
# qualify_shortname = ""
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = hogefuga.sample.com
admin_server = hogefuga.sample.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
5.起動
# systemctl enable krb5kdc kadmin
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.
# systemctl start krb5kdc kadmin
6.Adminプリンシパルの追加
# kadmin.local
Authenticating as principal ec2-user/admin@EXAMPLE.COM with password.
kadmin.local: addprinc admin/admin
No policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM":<任意のパスワード>
Re-enter password for principal "admin/admin@EXAMPLE.COM":<任意のパスワード>
Principal "admin/admin@EXAMPLE.COM" created.
7.ローカルで疎通確認
# systemctl restart krb5kdc kadmin
# kadmin -p admin/admin@EXAMPLE.COM
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Password for admin/admin@EXAMPLE.COM:<5で設定したパスワード>
kadmin: listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
クライアント手順
1.Kerberos関連パッケージのインストール
krb5-serverは不要。
# dnf install krb5-libs krb5-workstation
Last metadata expiration check: 0:04:42 ago on Wed Jul 17 10:13:47 2024.
Package krb5-libs-1.21-3.amzn2023.0.4.x86_64 is already installed.
Dependencies resolved.
========================================================================================================================
Package Architecture Version Repository Size
========================================================================================================================
Installing:
krb5-workstation x86_64 1.21-3.amzn2023.0.4 amazonlinux 499 k
Installing dependencies:
krb5-pkinit x86_64 1.21-3.amzn2023.0.4 amazonlinux 62 k
libkadm5 x86_64 1.21-3.amzn2023.0.4 amazonlinux 79 k
Transaction Summary
========================================================================================================================
Install 3 Packages
このとき、依存関係として勝手にkrb5-pkinit
がインストールされるが、これがあると別途自己証明書などを発行する必要があるため、依存関係を無視して削除する。
# rpm --nodeps -e krb5-pkinit
2./etc/krb5.confの修正
サーバと同じ内容。
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# spake_preauth_groups = edwards25519
# dns_canonicalize_hostname = fallback
# qualify_shortname = ""
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = hogefuga.sample.com
admin_server = hogefuga.sample.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
3./etc/hostsにサーバの情報を追記
<サーバのIPアドレス> hogefuga.sample.com
4.疎通確認
# kadmin -p admin/admin@EXAMPLE.COM
Authenticating as principal admin/admin@EXAMPLE.COM with password.
Password for admin/admin@EXAMPLE.COM:
kadmin: listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM