This article lists common commands regarding kerberos administration, as my memo. Platform is CentOS6.
1. Package Installation
yum install krb5-libs krb5-workstation krb5-server
2. Configuration file(Default location for PivotalHD)
/var/kerberos/krb5kdc/kdc.conf
/etc/krb5.conf
/var/kerberos/krb5kdc/kadm5.acl
kdb5_util allows an administrator to perform maintenance procedures on the KDC database.
Backup KDC database
[root@admin]# kdb5_util dump -verbose /backup/kdc.dump
HTTP/hdm.xxx.com@OPENKBINFO.COM
HTTP/hdw1.xxx.com@OPENKBINFO.COM
HTTP/hdw2.xxx.com@OPENKBINFO.COM
Then you can use "string" to check the content of the dump file:
strings /backup/kdc.dump
Restore KDC database
kdb5_util load /backup/kdc.dump
Add a new master key
Adds a new master key to the master key principal, but does not mark it as active.
[root@admin]# kdb5_util add_mkey
Creating new master key for master key principal 'K/M@OPENKBINFO.COM'
You will be prompted for a new database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
List all master keys
List all master keys, from most recent to earliest, in the master key principal.
[root@admin]# kdb5_util list_mkeys
Master keys for Principal: K/M@OPENKBINFO.COM
KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set
KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969 *
Activate a new master key
Once a master key becomes active, it will be used to encrypt newly created principal keys.
kdb5_util use_mkey mkeyVNO [time]
eg:
[root@admin]# kdb5_util use_mkey 2
[root@admin]# kdb5_util list_mkeys
Master keys for Principal: K/M@OPENKBINFO.COM
KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Tue Jun 10 15:39:01 PDT 2014 *
KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969
Update all principal keys to be encrypted in the new master key
Update all principal records (or only those matching the princ-pattern glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated.
[root@admin]# kdb5_util update_princ_encryption -v -n
Principals whose keys WOULD BE re-encrypted to master key vno 2:
would update: HTTP/hdm.xxx.com@OPENKBINFO.COM
(......)
would update: yarn/hdw3.xxx.com@OPENKBINFO.COM
22 principals processed: 22 would be updated, 0 already current
[root@admin]# kdb5_util update_princ_encryption -v
Re-encrypt all keys not using master key vno 2?
(type 'yes' to confirm)? yes
Principals whose keys are being re-encrypted to master key vno 2 if necessary:
updating: HTTP/hdm.xxx.com@OPENKBINFO.COM
skipping: HTTP/hdm.xxx.com@OPENKBINFO.COM
updating: HTTP/hdw1.xxx.com@OPENKBINFO.COM
(......)
23 principals processed: 22 updated, 1 already current
Create the stash file for new master key to replace existing one
[root@admin]# kdb5_util stash /var/kerberos/krb5kdc/.k5.OPENKBINFO.COM
Using existing stashed keys to update stash file.
Delete old master keys
Delete master keys from the master key principal that are not used to protect any principals.
[root@admin]# kdb5_util purge_mkeys -v -n
Would purge the follwing master key(s) from K/M@OPENKBINFO.COM:
KVNO: 1
1 key(s) would be purged.
[root@admin]# kdb5_util purge_mkeys -v
Will purge all unused master keys stored in the 'K/M@OPENKBINFO.COM' principal, are you sure?
(type 'yes' to confirm)? yes
OK, purging unused master keys from 'K/M@OPENKBINFO.COM'...
Purging the follwing master key(s) from K/M@OPENKBINFO.COM:
KVNO: 1
1 key(s) purged.
Create a new database
kdb5_util create -s
Destroy a database
kdb5_util destroy
List principals
kadmin.local: list_principals yarn*
yarn/hdm.xxx.com@OPENKBINFO.COM
yarn/hdw1.xxx.com@OPENKBINFO.COM
yarn/hdw2.xxx.com@OPENKBINFO.COM
yarn/hdw3.xxx.com@OPENKBINFO.COM
Viewing a Principal's Attributes
kadmin.local: getprinc yarn/hdm.xxx.com
Principal: yarn/hdm.xxx.com@OPENKBINFO.COM
Expiration date: [never]
Last password change: Sat Jun 07 14:49:36 PDT 2014
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jun 10 15:49:49 PDT 2014 (K/M@OPENKBINFO.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 2
Attributes:
Policy: [none]
Creating a New Principal
kadmin.local: addprinc mysuperman/admin@OPENKBINFO.COM
WARNING: no policy specified for mysuperman/admin@OPENKBINFO.COM; defaulting to no policy
Enter password for principal "mysuperman/admin@OPENKBINFO.COM":
Re-enter password for principal "mysuperman/admin@OPENKBINFO.COM":
Principal "mysuperman/admin@OPENKBINFO.COM" created.
Change the Password for a Principal
kadmin.local: cpw tim@OPENKBINFO.COM
Enter password for principal "tim@OPENKBINFO.COM":
Re-enter password for principal "tim@OPENKBINFO.COM":
Password for "tim@OPENKBINFO.COM" changed.
or use kpasswd
[root@admin ~]# kpasswd duncan2
Password for duncan2@OPENKBINFO.COM:
Enter new password:
Enter it again:
Delete a Principal
kadmin.local: delete_principal testuser
Are you sure you want to delete the principal "testuser@OPENKBINFO.COM"? (yes/no): yes
Principal "testuser@OPENKBINFO.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
Rename a Principal
kadmin.local: rename_principal duncan duncan2
Are you sure you want to rename the principal "duncan@OPENKBINFO.COM" to "duncan2@OPENKBINFO.COM"? (yes/no): yes
Principal "duncan@OPENKBINFO.COM" renamed to "duncan2@OPENKBINFO.COM".
Make sure that you have removed the old principal from all ACLs before reusing.
Modify a Principal to use Policy
kadmin.local: modify_principal -policy testpolicy duncan2
Principal "duncan2@OPENKBINFO.COM" modified.
Unlock a Principal
kadmin.local: modify_principal -unlock duncan2
Principal "duncan2@OPENKBINFO.COM" modified.
Create a Policy
kadmin.local: add_policy -minlength 1 -minlength 5 -maxlife "999 days" -maxfailure 3 testpolicy
List policies
kadmin.local: list_policies
testpolicy
Modify a Policy
kadmin.local: modify_policy -minlength 3 testpolicy
Viewing a Kerberos Policy's Attributes
kadmin.local: get_policy testpolicy
Policy: testpolicy
Maximum password life: 86313600
Minimum password life: 0
Minimum password length: 3
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 0
Maximum password failures before lockout: 3
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
Delete a Policy
kadmin.local: delete_policy testpolicy
6. Keytab administration
Add Principals to a Keytab
kadmin.local: ktadd -norandkey -k /tmp/tmp.keytab duncan2@OPENKBINFO.COM
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/tmp.keytab.
Display Keylist (Principals) in a Keytab File
[root@admin ~]# klist -kt /tmp/tmp.keytab
Keytab name: FILE:/tmp/tmp.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
Remove Keylist(Principal) from a Keytab File
kadmin.local: ktremove -k /tmp/tmp.keytab duncan2@OPENKBINFO.COM
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Authentication using Keytab
kinit -kt /etc/security/phd/keytab/hdfs.service.keytab hdfs/hdm.xxx.com@OPENKBINFO.COM
7. Credential cache administration
List Principals in Credential Cache
[root@admin ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tim@OPENKBINFO.COM
Valid starting Expires Service principal
06/10/14 22:24:22 06/11/14 22:24:22 krbtgt/OPENKBINFO.COM@OPENKBINFO.COM
renew until 06/17/14 22:24:22
Destroy Credential Cache
Note: This will only destroy credential cache for this user.
[testuser@admin ~]$ ls -altr /tmp/krb5*
-rw-------. 1 root root 741 Jun 10 22:24 /tmp/krb5cc_0
-rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501
[root@admin ~]# kdestroy
[root@admin ~]# ls -altr /tmp/krb*
-rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501
[root@admin ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
8. Kerberos services
KDC service
/etc/init.d/krb5kdc start
kadmin service
/etc/init.d/kadmin start
No comments:
Post a Comment