Centos
在 CentOS 7 上配置 Kerberos/PAM
我正在兩台執行 CentOS 7 的 VM 上試用 Kerberos。一台 VM 充當伺服器,另一台充當使用者應該登錄的客戶端主機。
我的完整設置如下所示。當我創建一個新使用者來測試我的設置時,該使用者可以通過 SSH(或直接登錄)到客戶端主機,他會自動獲得一個 Kerberos TGT (
klist
)。但是如果我跑去passwd
更改密碼,我會得到一個錯誤。在日誌中(通過
journalctl
)我在驗證密碼更改(使用舊密碼)時看到以下消息:unix_chkpwd[8790]: password check failed for user (demouser) passwd[8788]: pam_unix(passwd:chauthtok): authentication failure; logname= uid=1001 euid=0 tty=pts/2 ruser= rhost= user=demouser
然後我輸入新密碼兩次,並在日誌中獲得這些附加消息:
unix_chkpwd[8792]: password check failed for user (demouser) passwd[8788]: pam_unix(passwd:chauthtok): user password changed by another process passwd[8788]: pam_krb5[8788]: password change failed for demouser@EXAMPLE.COM: Cannot contact any KDC for requested realm passwd[8788]: PAM 1 more authentication failure; logname= uid=1001 euid=0 tty=pts/2 ruser= rhost= user=demouser
然後在控制台上我收到這條消息:
passwd: Authentication token manipulation error
知道為什麼登錄有效但密碼更改無效嗎?我該如何解決這個問題?
伺服器配置 (VM1)
# collect input DOMAIN=$(hostname -d) REALM=$(echo "$DOMAIN" | tr '[:lower:]' '[:upper:]') read -s -p "Kerberos DB Master Password: " KRB_DBMASTER_PW && echo read -s -p "Kerberos root/admin Password: " KRB_ROOT_PW && echo # setup ntp yum -y install ntp systemctl start ntpd systemctl enable ntpd # install kerberos yum -y install krb5-server krb5-workstation # replace realm and domain in krb5.conf sed -i 's|^\(# Confi\)|#\1|' /etc/krb5.conf sed -i 's|^#||' /etc/krb5.conf sed -i "s|EXAMPLE\.COM|$REALM|" /etc/krb5.conf sed -i "s|kerberos\.example\.com|$(hostname -f)|" /etc/krb5.conf sed -i "s|example\.com|$DOMAIN|" /etc/krb5.conf # replace realm in kdc.conf and kadm5.acl sed -i "s|EXAMPLE\.COM|$REALM|" /var/kerberos/krb5kdc/kdc.conf sed -i "s|EXAMPLE\.COM|$REALM|" /var/kerberos/krb5kdc/kadm5.acl # initialize kerberos db echo -e "${KRB_DBMASTER_PW}\n${KRB_DBMASTER_PW}" | kdb5_util create -s -r $REALM # start kerberos services systemctl enable kadmin systemctl enable krb5kdc systemctl start kadmin systemctl start krb5kdc firewall-cmd --permanent --add-service kerberos firewall-cmd --reload # add root/admin principal cat <<-EOF | kadmin.local addprinc root/admin $KRB_ROOT_PW $KRB_ROOT_PW quit EOF
客戶端配置 (VM2)
# collect input DOMAIN=$(hostname -d) REALM=$(echo "$DOMAIN" | tr '[:lower:]' '[:upper:]') read -p "Server hostname: " SERVER_HOSTNAME read -s -p "Kerberos root/admin Password: " KRB_ROOT_PW && echo # setup ntp yum -y install ntp systemctl start ntpd systemctl enable ntpd # setup kerberos yum -y install krb5-workstation pam_krb5 # create host principal for this client on the kerberos server cat <<-EOF | ssh -t $SERVER_HOSTNAME "sudo kadmin.local ; sudo chown $USER /tmp/$(hostname -s).keytab" addprinc -randkey host/$(hostname -f) ktadd -k /tmp/$(hostname -s).keytab host/$(hostname -f) quit EOF scp $SERVER_HOSTNAME:\{/tmp/$(hostname -s).keytab,/etc/krb5.conf\} /tmp # replace krb5.conf cp /tmp/krb5.conf /etc # import host key on client cat <<-EOF | ktutil rkt /tmp/$(hostname -s).keytab wkt /etc/krb5.keytab quit EOF # configure pam authconfig --enablekrb5 --update
用新使用者測試
- 在伺服器 (VM1) 上創建使用者主體
kadmin addprinc demouser quit
- 在客戶端(VM2)上創建本地使用者
useradd -m -s /bin/bash demouser
- 登錄和更改密碼(從工作站)
ssh demouser@krbclient passwd
我找到了解決方案:伺服器設置中缺少以下命令:
firewall-cmd --permanent --add-service kpasswd
(緊接在 之前
firewall-cmd --reload
)