Kerberos相关资料整理

Creating Kerberos KeytabFiles Compatible with Active Directory

BeforeI demonstrate how to create the keytab, a word about encryption.  Thereare a number of encryption types used for hashing a password.  Theseinclude DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC and a few others.  ActiveDirectory uses RC4-HMAC by default.  Back in Windows 2000, you could alsouse the DES types without any trouble, but since Windows 2003, only RC4-HMAC issupported, unless you make a registry change (to all of your domaincontrollers).  If you need to use DES for some reason, then refer to theTechnet article at the bottom of the page.

Before attempting to create a keytab file,you'll need to know the user's kerberos principal name, in the form ofusername@MYDOMAIN.COM, and the user's password.

Creatinga KeyTab on Windows (tested on Windows Server 2008 R2)
Open a command prompt and type the followingcommand:

ktpass /princ spn /pass password /ptypeKRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /out username.keytab

http://technet.microsoft.com/en-us/library/cc753771.aspx

ktpass

[/out <FileName>]

[/princ <PrincipalName>]

[/mapuser <UserAccount>]

[/mapop {add|set}] [{-|+}desonly] [/in <FileName>]

[/pass {Password|*|{-|+}rndpass}]

[/minpass]

[/maxpass]

[/crypto{DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]

[/itercount]

[/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}]

[/kvno <KeyVersionNum>]

[/answer {-|+}]

[/target]

[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass<Password>]  [/?|/h|/help]

 

Creating a KeyTab on Ubuntu Linux (testedon Ubuntu 10.10 - Maverick Meerkat)
Open a terminal window and type the followingcommands:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/ktutil.html

ktutil
addent-password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
-enter password for username -
wkt username.keytab
q

Testing the Keytab File
Now in order to test the keytab, you'll need acopy of kinit.  You can use the version that's on Ubuntu, or if onWindows, you can install the latest Java runtime from Sun (JRE).  Ineither case, you'll need to setup your /etc/krb5.conf file (on Linux) orc:\windows\krb5.ini (on Windows).  Either file should look somethinglike this:

[libdefaults]
default_realm= MYDOMAIN.COM
krb4_config= /etc/krb.conf
krb4_realms= /etc/krb.realms
kdc_timesync= 1
ccache_type= 4
forwardable= true
proxiable= true

[realms]
MYDOMAIN.COM= {
kdc =mydomain.com:88
admin_server= mydomain.com
default_domain= mydomain.com
}

[domain_realm]
.mydomain.com= MYDOMAIN.COM
mydomain.com= MYDOMAIN.COM

[login]
krb4_convert= true
krb4_get_tickets= false

Once you've got your Kerberos file setup, youcan use kinit to test the keytab.  First, try to logon with your useraccount without using the keytab:

kinit username@MYDOMAIN.COM
- enterthe password - 

If that doesn't work, your krb5 file iswrong.  If it does work, now try the keytab file:

kinit username@MYDOMAIN.COM -k-t username.keytab

Now you should successfully authenticate withoutbeing prompted for a password.  Success!

For windows, the detailed step is: http://janusdo.iteye.com/blog/564749 

Hints:

1) Check the spn has been mapped to the user

setspn -L user  -> IF Error: Ldap Error(0x22 -- Invalid DNSyntax): ldap_search_s, Check and make sure there is no comma in the CN (name)

2) When generate the keytab file, some would suggest to use username@domain and other use SERVICE/HOST[PORT@DOMAIN], so maybe that depends on application.

Configure Tomcat Kerberos Authentication

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)

1)     If you have Tomcat Monitor:

·       Start the tomcat monitor (or select configureTomcat and skip the next step)

·       RMC on the Tomcat monitor and select configure

·       Go to the Java tab and in the Java Options,scroll to the end and type the 3 Java additional parameters as explainedpreviously:

2)     If you don’t have Tomcat Monitor:

a)     Set JVM parameters in .cshrc file (for the caseof Unix)

setenv JAVA_OPTS as

 -Djava.security.auth.login.config=${CATALINA_HOME}/conf/jaas.conf

-Djava.security.krb5.conf=${CATALINA_HOME}/conf/krb5.conf

-Djavax.security.auth.useSubjectCredsOnly=false

b)     Set up a login.config file for Java (see JAASLoginConfig file) and tell Tomcat where to find it by specifying its locationto the JVM, for instance by setting the environment variables:JAVA_OPTS=$JAVA_OPTS-Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config–Djava.security…

For this method (in the case ofUnix, for instance) the Catalina.sh or catalina.bat can be the files used forit, since they already have a JAVA_OPTS parameter set in there, it can beexpanded with these values.

After the tomcat has been configured successfully, open the url and a login user name and password are needed. After that, the page is loaded and we don't need to enter any login info later.

Test Kerberos on Linux

Steps

1. install the krb5-workstation on your test linuxmachine,  which contains kinit, klistcommands.

# yum installkrb5-workstation

# which kinit

/usr/bin/kinit

 

2. Users should create the krb5.conf file to use theright KDC and the right ream. An example

  http://book.51cto.com/art/201003/190643.htm

3. Set an environment variable 'KRB5_CONFIG' pointing tothe location of the krb5.conf file. The export command can be run from the bashshell as given below:

 export KRB5_CONFIG=/var/lib/hadoop-hdfs/krb5.conf

Make sure this krb5.conf is accessible.

 

4. Test from command line

-bash-4.1$kinit ztan@csdn.net

kinit:Cannot find KDC for requested realm while getting initial credentials

 

-bash-4.1$ exportKRB5_CONFIG=/var/lib/hadoop-hdfs/krb5.conf

 

-bash-4.1$kinit ztan@DOMAIN

Passwordfor ztan@DOMAIN:  *****

 

-bash-4.1$klist