Kerberos

系統服務的 Kerberos 客戶端身份驗證

  • November 13, 2019

我在需要訪問域/AD 上的 SQL Server 數據庫的 Ubuntu 18.04 機器上執行網路伺服器(在本例中為氣流)。

問:如何在 systemd 服務中使用 Kerberos 身份驗證來訪問域上的 MSSQL 數據庫?

Subqestion:如何自動續訂票證?我用k5start辛苦了一段時間沒有成功,有沒有標準化的方法來做到這一點?

從外殼執行:

airflow@airflow:~$ kinit airflow@EXAMPLE.COM
Password for airflow@EXAMPLE.COM:
airflow@airflow:~$ klist -A
Ticket cache: KEYRING:persistent:478604841:478604841
Default principal: airflow@EXAMPLE.COM

Valid starting       Expires              Service principal
11/08/2019 22:34:41  11/09/2019 08:34:41  krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 11/09/2019 08:34:41
airflow@airflow:~$ airflow webserver

結果:webserver 成功通過 Kerberos 連接到 SQL Server

旁注:如上執行 Web 伺服器後,klist顯示 SQL Server 的 SPN:

airflow@airflow:~$ klist
Ticket cache: KEYRING:persistent:478604841:478604841
Default principal: airflow@EXAMPLE.COM

Valid starting       Expires              Service principal
11/08/2019 23:00:22  11/09/2019 09:00:18  MSSQLSvc/dbserver.example.com:1433@EXAMPLE.COM
       renew until 11/15/2019 23:00:14
11/08/2019 23:00:18  11/09/2019 09:00:18  krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 11/15/2019 23:00:14

Kinit 然後啟動服務

airflow@airflow:~$ kinit airflow@EXAMPLE.COM
airflow@airflow:~$ sudo service airflow-webserver start
airflow@airflow:~$ journalctl -u airflow-webserver.service -xe

輸出

Nov 08 18:12:11 airflow airflow[54723]:   File "/home/EXAMPLE.COM/airflow/.pyenv/versions/3.7.4/lib/python3.7/site-packages/sqlalchemy/engine/default.py", line 481, in connect
Nov 08 18:12:11 airflow airflow[54723]:     return self.dbapi.connect(*cargs, **cparams)
Nov 08 18:12:11 airflow airflow[54723]: sqlalchemy.exc.DBAPIError: (pyodbc.Error) ('HY000', '[HY000] [Microsoft][ODBC Driver 17 for SQL Server]SSPI Provider: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_478604841) (851968) (SQLDriverConnect)')
Nov 08 18:12:11 airflow airflow[54723]: (Background on this error at: http://sqlalche.me/e/dbapi)

/etc/krb5.conf

[libdefaults]
       default_realm = EXAMPLE.COM
       dns_lookup_realm = true
       dns_lookup_kdc = true
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true
       ccache_type = 5
       default_ccache_name = KEYRING:persistent:%{uid}
       default_client_keytab_name = /home/%d/%u.keytab
[realms]
       EXAMPLE.COM = {
               kdc = exampledc1.example.com
               kdc = exampledc2.example.com
       }

[domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

/etc/systemd/system/airflow-webserver.service

[Unit]
Description=Airflow web server daemon
After=network.target

[Service]
EnvironmentFile=/etc/sysconfig/airflow
User=airflow
Group=airflow
Type=simple
ExecStart = /home/EXAMPLE.COM/airflow/.pyenv/versions/3.7.4/bin/airflow webserver
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

執行此操作的常用方法是使用一個單獨的服務來保持您的 Kerberos 票證刷新,並在 MS SQL 服務中將KRB5CCNAME環境變數設置為其他服務保持刷新的憑據記憶體的路徑。

在 MS SQL 服務中:

# systemd service file
...
[Service]
Environment="KRB5CCNAME=FILE:/tmp/cache.tkt"
...

這是“刷新”服務:

[Unit]
Description=My Kerberos Ticket Service
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/k5start -U -f /path/to/keytab \
        -k /tmp/cache.tkt -l 10h -K 30 \
        -m 600 -o root -g root

# Restart on any failure after 5 seconds
Restart=on-failure
RestartSec=5s

您可能需要調整憑據記憶體文件權限,以確保 MS SQL 服務可以讀取該文件。當然,您需要有一個帶有正確憑據的 keytab 文件。

引用自:https://serverfault.com/questions/991167