【kerberos】基础使用

常用命令

KDC

登录KDC后台

kadmin.local

登录到后台之后，输入?查看后台命令

kadmin.local:  ?
Available kadmin.local requests:add_principal, addprinc, ankAdd principal
delete_principal, delprincDelete principal
modify_principal, modprincModify principal
rename_principal, renprincRename principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincsList principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpolsList policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
lock                     Lock database exclusively (use with extreme caution!)
unlock                   Release exclusive database lock
purgekeys                Purge previously retained old keys from a principal
get_strings, getstrs     Show string attributes on a principal
set_string, setstr       Set a string attribute on a principal
del_string, delstr       Delete a string attribute on a principal
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.
kadmin.local:

查看用户列表

kadmin.local: listprincs

创建用户

kadmin.local:  addprinc testprince
WARNING: no policy specified for testprince@CDHKRB.COM; defaulting to no policy
Enter password for principal "testprince@CDHKRB.COM": 
Re-enter password for principal "testprince@CDHKRB.COM": 
Principal "testprince@CDHKRB.COM" created.
kadmin.local:

删除用户

kadmin.local:  delprinc testprince
Are you sure you want to delete the principal "testprince@CDHKRB.COM"? (yes/no): yes
Principal "testprince@CDHKRB.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin.local:

导出用户keytab文件

kadmin.local:  ktadd -k /tmp/testprince.keytab -norandkey testprince@CDHKRB.COM
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/testprince.keytab.
Entry for principal testprince@CDHKRB.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/testprince.keytab.
kadmin.local:

退出kdc后台

quit

客户端命令

登录账户

[root@master35 ~]# kinit testprince
Password for testprince@CDHKRB.COM: 
[root@master35 ~]# 

查询登录状态

[root@master35 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_22wYppU
Default principal: testprince@CDHKRB.COMValid starting       Expires              Service principal
2024-08-06T15:01:27  2024-08-07T15:01:27  krbtgt/CDHKRB.COM@CDHKRB.COM
[root@master35 ~]#

使用keytab文件登录

[root@master35 ~]# kinit -kt /tmp/testprince.keytab testprince
[root@master35 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_22wYppU
Default principal: testprince@CDHKRB.COMValid starting       Expires              Service principal
2024-08-06T15:03:44  2024-08-07T15:03:44  krbtgt/CDHKRB.COM@CDHKRB.COM
[root@master35 ~]# 

退出登录

[root@master35 ~]# kdestroy
Other credential caches present, use -A to destroy all
[root@master35 ~]# klist
klist: Credentials cache keyring 'persistent:0:krb_ccache_UBTf6Jz' not found
[root@master35 ~]# 

查看keytab文件中的账户信息

[root@master35 ~]# klist -ket /tmp/testprince.keytab 
Keytab name: FILE:/tmp/testprince.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------1 2024-08-06T14:59:29 testprince@CDHKRB.COM (aes256-cts-hmac-sha1-96) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (aes128-cts-hmac-sha1-96) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (des3-cbc-sha1) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (arcfour-hmac) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (camellia256-cts-cmac) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (camellia128-cts-cmac) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (des-hmac-sha1) 1 2024-08-06T14:59:29 testprince@CDHKRB.COM (des-cbc-md5) 
[root@master35 ~]#

参考资料

• CDH 6.3.2开启kerberos认证
  https://www.modb.pro/db/584101

• Kerberos 命令使用
  https://www.jianshu.com/p/69e6a2e7c648

• cdh6.3.2kerberos认证后访问hdfs webui报错Permission denied when trying
  https://www.modb.pro/db/584100