Kerberos相关资料整理
来源:互联网 发布:access执行sql语句 编辑:程序博客网 时间:2024/05/18 03:42
Creating Kerberos KeytabFiles Compatible with Active Directory
BeforeI demonstrate how to create the keytab, a word about encryption. Thereare a number of encryption types used for hashing a password. Theseinclude DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC and a few others. ActiveDirectory uses RC4-HMAC by default. Back in Windows 2000, you could alsouse the DES types without any trouble, but since Windows 2003, only RC4-HMAC issupported, unless you make a registry change (to all of your domaincontrollers). If you need to use DES for some reason, then refer to theTechnet article at the bottom of the page.
Before attempting to create a keytab file,you'll need to know the user's kerberos principal name, in the form ofusername@MYDOMAIN.COM, and the user's password.
Creatinga KeyTab on Windows (tested on Windows Server 2008 R2)
Open a command prompt and type the followingcommand:
ktpass /princ spn /pass password /ptypeKRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /out username.keytab
http://technet.microsoft.com/en-us/library/cc753771.aspx
ktpass
[/out <FileName>]
[/princ <PrincipalName>]
[/mapuser <UserAccount>]
[/mapop {add|set}] [{-|+}desonly] [/in <FileName>]
[/pass {Password|*|{-|+}rndpass}]
[/minpass]
[/maxpass]
[/crypto{DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]
[/itercount]
[/ptype {KRB5_NT_PRINCIPAL|KRB5_NT_SRV_INST|KRB5_NT_SRV_HST}]
[/kvno <KeyVersionNum>]
[/answer {-|+}]
[/target]
[/rawsalt] [{-|+}dumpsalt] [{-|+}setupn] [{-|+}setpass<Password>] [/?|/h|/help]
Creating a KeyTab on Ubuntu Linux (testedon Ubuntu 10.10 - Maverick Meerkat)
Open a terminal window and type the followingcommands:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/ktutil.html
addent-password -p username@MYDOMAIN.COM -k 1 -e RC4-HMAC
-enter password for username -
wkt username.keytab
q
Testing the Keytab File
Now in order to test the keytab, you'll need acopy of kinit. You can use the version that's on Ubuntu, or if onWindows, you can install the latest Java runtime from Sun (JRE). Ineither case, you'll need to setup your /etc/krb5.conf file (on Linux) orc:\windows\krb5.ini (on Windows). Either file should look somethinglike this:
[libdefaults]
default_realm= MYDOMAIN.COM
krb4_config= /etc/krb.conf
krb4_realms= /etc/krb.realms
kdc_timesync= 1
ccache_type= 4
forwardable= true
proxiable= true
[realms]
MYDOMAIN.COM= {
kdc =mydomain.com:88
admin_server= mydomain.com
default_domain= mydomain.com
}
[domain_realm]
.mydomain.com= MYDOMAIN.COM
mydomain.com= MYDOMAIN.COM
[login]
krb4_convert= true
krb4_get_tickets= false
Once you've got your Kerberos file setup, youcan use kinit to test the keytab. First, try to logon with your useraccount without using the keytab:
kinit username@MYDOMAIN.COM
- enterthe password -
If that doesn't work, your krb5 file iswrong. If it does work, now try the keytab file:
kinit username@MYDOMAIN.COM -k-t username.keytab
Now you should successfully authenticate withoutbeing prompted for a password. Success!
For windows, the detailed step is: http://janusdo.iteye.com/blog/564749
Hints:
1) Check the spn has been mapped to the user
setspn -L user -> IF Error: Ldap Error(0x22 -- Invalid DNSyntax): ldap_search_s, Check and make sure there is no comma in the CN (name)
2) When generate the keytab file, some would suggest to use username@domain and other use SERVICE/HOST[PORT@DOMAIN], so maybe that depends on application.
Configure Tomcat Kerberos Authentication
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
1) If you have Tomcat Monitor:
· Start the tomcat monitor (or select configureTomcat and skip the next step)
· RMC on the Tomcat monitor and select configure
· Go to the Java tab and in the Java Options,scroll to the end and type the 3 Java additional parameters as explainedpreviously:
2) If you don’t have Tomcat Monitor:
a) Set JVM parameters in .cshrc file (for the caseof Unix)
setenv JAVA_OPTS as
-Djava.security.auth.login.config=${CATALINA_HOME}/conf/jaas.conf
-Djava.security.krb5.conf=${CATALINA_HOME}/conf/krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
b) Set up a login.config file for Java (see JAASLoginConfig file) and tell Tomcat where to find it by specifying its locationto the JVM, for instance by setting the environment variables:JAVA_OPTS=$JAVA_OPTS-Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config–Djava.security…
For this method (in the case ofUnix, for instance) the Catalina.sh or catalina.bat can be the files used forit, since they already have a JAVA_OPTS parameter set in there, it can beexpanded with these values.
After the tomcat has been configured successfully, open the url and a login user name and password are needed. After that, the page is loaded and we don't need to enter any login info later.
Test Kerberos on Linux
Steps
1. install the krb5-workstation on your test linuxmachine, which contains kinit, klistcommands.
# yum installkrb5-workstation
# which kinit
/usr/bin/kinit
2. Users should create the krb5.conf file to use theright KDC and the right ream. An example
http://book.51cto.com/art/201003/190643.htm
3. Set an environment variable 'KRB5_CONFIG' pointing tothe location of the krb5.conf file. The export command can be run from the bashshell as given below:
export KRB5_CONFIG=/var/lib/hadoop-hdfs/krb5.conf
Make sure this krb5.conf is accessible.
4. Test from command line
-bash-4.1$kinit ztan@csdn.net
kinit:Cannot find KDC for requested realm while getting initial credentials
-bash-4.1$ exportKRB5_CONFIG=/var/lib/hadoop-hdfs/krb5.conf
-bash-4.1$kinit ztan@DOMAIN
Passwordfor ztan@DOMAIN: *****
-bash-4.1$klist
- Kerberos相关资料整理
- j2se相关资料整理
- epoll相关资料整理
- epoll相关资料整理
- epoll相关资料整理
- AngularJS相关资料整理
- Hive相关资料整理
- easyUI相关资料整理
- ActiveMQ相关资料整理
- RxJava相关资料整理
- java相关资料整理
- Citrix 相关资料整理
- LTE相关资料整理
- pomelo 相关资料整理
- Jabber协议相关资料整理
- zk相关学习资料整理
- EEPROM 相关资料整理汇总
- pthread相关资料整理(1)
- 【android】下载文件至本应用程序的file目录或者sdcard
- android:自定义View的使用(二)
- 函数生成的ALV的按钮列表 .
- 标签个性化数据在推荐排序中的应用
- Android提高第六篇之BroadcastReceiver(广播接收者)
- Kerberos相关资料整理
- c#面试问题
- 存储过程与函数的区别
- 未能同步iPad 因为这台电脑不再被授权使用在此iPad上购买的项目
- g++: error trying to exec 'cc1plus': execvp: 没有那个文件或目录
- 免费WiFi分享给你,全民免费WiFi来袭
- IOS-MVC设计模式深入
- 用Pix调试HLSL
- cocos2dx jni Android.mk配置,实现自动搜索.cpp文件打包