Kerberos
系統服務的 Kerberos 客戶端身份驗證
我在需要訪問域/AD 上的 SQL Server 數據庫的 Ubuntu 18.04 機器上執行網路伺服器(在本例中為氣流)。
問:如何在 systemd 服務中使用 Kerberos 身份驗證來訪問域上的 MSSQL 數據庫?
Subqestion:如何自動續訂票證?我用k5start辛苦了一段時間沒有成功,有沒有標準化的方法來做到這一點?
從外殼執行:
airflow@airflow:~$ kinit airflow@EXAMPLE.COM Password for airflow@EXAMPLE.COM: airflow@airflow:~$ klist -A Ticket cache: KEYRING:persistent:478604841:478604841 Default principal: airflow@EXAMPLE.COM Valid starting Expires Service principal 11/08/2019 22:34:41 11/09/2019 08:34:41 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 11/09/2019 08:34:41 airflow@airflow:~$ airflow webserver
結果:webserver 成功通過 Kerberos 連接到 SQL Server
旁注:如上執行 Web 伺服器後,
klist
顯示 SQL Server 的 SPN:airflow@airflow:~$ klist Ticket cache: KEYRING:persistent:478604841:478604841 Default principal: airflow@EXAMPLE.COM Valid starting Expires Service principal 11/08/2019 23:00:22 11/09/2019 09:00:18 MSSQLSvc/dbserver.example.com:1433@EXAMPLE.COM renew until 11/15/2019 23:00:14 11/08/2019 23:00:18 11/09/2019 09:00:18 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 11/15/2019 23:00:14
Kinit 然後啟動服務
airflow@airflow:~$ kinit airflow@EXAMPLE.COM airflow@airflow:~$ sudo service airflow-webserver start airflow@airflow:~$ journalctl -u airflow-webserver.service -xe
輸出
Nov 08 18:12:11 airflow airflow[54723]: File "/home/EXAMPLE.COM/airflow/.pyenv/versions/3.7.4/lib/python3.7/site-packages/sqlalchemy/engine/default.py", line 481, in connect Nov 08 18:12:11 airflow airflow[54723]: return self.dbapi.connect(*cargs, **cparams) Nov 08 18:12:11 airflow airflow[54723]: sqlalchemy.exc.DBAPIError: (pyodbc.Error) ('HY000', '[HY000] [Microsoft][ODBC Driver 17 for SQL Server]SSPI Provider: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_478604841) (851968) (SQLDriverConnect)') Nov 08 18:12:11 airflow airflow[54723]: (Background on this error at: http://sqlalche.me/e/dbapi)
/etc/krb5.conf
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ccache_type = 5 default_ccache_name = KEYRING:persistent:%{uid} default_client_keytab_name = /home/%d/%u.keytab [realms] EXAMPLE.COM = { kdc = exampledc1.example.com kdc = exampledc2.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
/etc/systemd/system/airflow-webserver.service
[Unit] Description=Airflow web server daemon After=network.target [Service] EnvironmentFile=/etc/sysconfig/airflow User=airflow Group=airflow Type=simple ExecStart = /home/EXAMPLE.COM/airflow/.pyenv/versions/3.7.4/bin/airflow webserver Restart=on-failure RestartSec=5s [Install] WantedBy=multi-user.target
執行此操作的常用方法是使用一個單獨的服務來保持您的 Kerberos 票證刷新,並在 MS SQL 服務中將
KRB5CCNAME
環境變數設置為其他服務保持刷新的憑據記憶體的路徑。在 MS SQL 服務中:
# systemd service file ... [Service] Environment="KRB5CCNAME=FILE:/tmp/cache.tkt" ...
這是“刷新”服務:
[Unit] Description=My Kerberos Ticket Service Wants=network-online.target After=network-online.target [Service] Type=simple ExecStart=/usr/bin/k5start -U -f /path/to/keytab \ -k /tmp/cache.tkt -l 10h -K 30 \ -m 600 -o root -g root # Restart on any failure after 5 seconds Restart=on-failure RestartSec=5s
您可能需要調整憑據記憶體文件權限,以確保 MS SQL 服務可以讀取該文件。當然,您需要有一個帶有正確憑據的 keytab 文件。