支持控制台(Console)开发人员开始试用联系人

11.14. Kerberos 集成

Kerberos 是一种计算机网络安全协议,它提供了一个集中的身份验证服务器,用于验证对服务器的用户,反之亦然。在 Kerberos 身份验证中,服务器和数据库用于客户端身份验证。

11.14.1. 设置 KDC (根据要求)

Kerberos 作为第三方可信服务器运行,称为密钥分发中心(KDC),其中网络上的每个用户和服务都是一个主体。KDC 包含有关其所有客户端(用户主体、服务主体)的信息,因此需要安全。在 Kerberos 设置中,因为 KDC 是单一故障点,建议有一个主 KDC 和多个从 KDC。

先决条件

验证 /etc/hosts 文件中是否进行了以下更改:如果需要,添加域名。 

[root@chost ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.208.97	        ceph-node1-installer.ibm.com	ceph-node1-installer
10.0.210.243	ceph-node2.ibm.com	ceph-node2
10.0.208.63	        ceph-node3.ibm.com	ceph-node3
10.0.210.222	ceph-node4.ibm.com	ceph-node4
10.0.210.235	ceph-node5.ibm.com	ceph-node5
10.0.209.87	        ceph-node6.ibm.com	ceph-node6
10.0.208.89	        ceph-node7.ibm.com	ceph-node7
重要

确保设置中的所有涉及节点的域名(Ceph 集群中的所有节点以及所有 NFS 客户端节点)都存在。

流程

按照以下步骤安装和配置 KDC。如果您已经安装和配置了 KDC,请跳过此部分。

  1. 检查所需 RPM 是否安装在您要设置 KDC 的机器上。 

    [root@host ~]# rpm -qa | grep krb5

krb5-libs-1.20.1-9.el9_2.x86_64
krb5-pkinit-1.20.1-9.el9_2.x86_64
krb5-server-1.20.1-9.el9_2.x86_64
krb5-server-ldap-1.20.1-9.el9_2.x86_64
krb5-devel-1.20.1-9.el9_2.x86_64
krb5-workstation-1.20.1-9.el9_2.x86_64
    注意
    • 根据 Kerberos REALM 名称,最好使用域名。例如,Realm - PUNE.IBM.COM,管理主体 - admin/admin
    • 编辑安装的配置文件,以反映新的 KDC。请注意,KDC 可以作为 IP 地址或 DNS 名称提供。

  2. 更新 krb5.conf 文件:

    注意

    您需要使用 krb5.conf 文件中的 kdcadmin_server IP 更新所有域(default_realmdomain_realm)。 

    [root@host ~]# cat /etc/krb5.conf

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.

includedir /etc/krb5.conf.d/
[logging]
    default = [FILE:/var/log/krb5libs.log](file:///var/log/krb5libs.log)
    kdc = [FILE:/var/log/krb5kdc.log](file:///var/log/krb5kdc.log)
    admin_server = [FILE:/var/log/kadmind.log](file:///var/log/kadmind.log)
[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = [FILE:/etc/pki/tls/certs/ca-bundle.crt](file:///etc/pki/tls/certs/ca-bundle.crt)
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_realm = PUNE.IBM.COM
    default_ccache_name = KEYRING:persistent:%{uid}
[realms]
    PUNE.IBM.COM = {
       kdc = 10.0.210.222:88
       admin_server = 10.0.210.222:749
    }
[domain_realm]
  .redhat.com = PUNE.IBM.COM
  redhat.com = PUNE.IBM.COM

  3. 更新 krb5.conf 文件:

    注意

    您需要更新 kdc.conf 文件中的域。 

    [root@host ~]# cat /var/kerberos/krb5kdc/kdc.conf

 [kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 spake_preauth_kdc_challenge = edwards25519
[realms]
   PUNE.IBM.COM = {
      master_key_type = aes256-cts-hmac-sha384-192
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      default_principal_flags = +preauth
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
      supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal camellia128-cts-cmac:normal arcfour-hmac-md5:normal
     # Supported encryption types for FIPS mode:
     #supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
  }

  4. 使用 kdb5_util 创建 KDC 数据库:

    注意

    确保主机名可以通过 DNS/etc/hosts 解析。 

    [root@host ~]# kdb5_util create -s -r [PUNE.IBM.COM](http://pune.ibm.com/)

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'PUNE.IBM.COM',
master key name 'K/M@PUNE.IBM.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

  5. 将管理员添加到 ACL 文件中: 

    [root@host ~]# cat /var/kerberos/krb5kdc/kadm5.acl

*/admin@PUNE.IBM.COM	*

    输出显示 PUNE.IBM.COM 域中的任何主体都有 admin 实例的所有主体都有所有管理特权。

  6. 将管理员添加到 Kerberos 数据库: 

    [root@host ~]# kadmin.local

Authenticating as principal root/admin@PUNE.IBM.COM with password.
kadmin.local:  addprinc admin/admin@PUNE.IBM.COM
No policy specified for admin/admin@PUNE.IBM.COM; defaulting to no policy
Enter password for principal "admin/admin@PUNE.IBM.COM":
Re-enter password for principal "admin/admin@PUNE.IBM.COM":
Principal "admin/admin@PUNE.IBM.COM" created.
kadmin.local:

  7. 启动 kdckadmind

    # krb5kdc
# kadmind

验证

  • 检查 kdckadmind 是否在正确运行: 

    # ps -eaf | grep krb

root     27836     1  0 07:35 ?        00:00:00 krb5kdc
root     27846 13956  0 07:35 pts/8    00:00:00 grep --color=auto krb
# ps -eaf | grep kad
root     27841     1  0 07:35 ?        00:00:00 kadmind
root     27851 13956  0 07:36 pts/8    00:00:00 grep --color=auto kad

  • 检查设置是否正确: 

    [root@host ~]# kinit admin/admin
Password for admin/admin@PUNE.IBM.COM:

[root@ceph-mani-o7fdxp-node4 ~]# klist
Ticket cache: KCM:0
Default principal: admin/admin@PUNE.IBM.COM

Valid starting     Expires            Service principal
10/25/23 06:37:08  10/26/23 06:37:01  krbtgt/PUNE.IBM.COM@PUNE.IBM.COM
    renew until 10/25/23 06:37:08

11.14.2. 设置 Kerberos 客户端

Kerberos 客户端计算机应与 KDC 同步。使用 NTP 确保同步 KDC 和客户端。五分钟或更多的时间差异会导致 Kerberos 身份验证失败并抛出时钟偏移错误。此步骤是所有要参与 Kerberos 身份验证的系统(如 NFS 客户端、运行 NFS Ganesha 容器的主机)的先决条件。

流程

  1. 检查所需的 RPM 

    [root@host ~]# rpm -qa | grep krb5

krb5-libs-1.20.1-9.el9_2.x86_64
krb5-pkinit-1.20.1-9.el9_2.x86_64
krb5-workstation-1.20.1-9.el9_2.x86_64

  2. 更新与 KDC 服务器上的 krb5.conf 文件类似的文件: 

    [root@host ~]# cat /etc/krb5.conf

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.

includedir /etc/krb5.conf.d/
[logging]
    default = [FILE:/var/log/krb5libs.log](file:///var/log/krb5libs.log)
    kdc = [FILE:/var/log/krb5kdc.log](file:///var/log/krb5kdc.log)
    admin_server = [FILE:/var/log/kadmind.log](file:///var/log/kadmind.log)
[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = [FILE:/etc/pki/tls/certs/ca-bundle.crt](file:///etc/pki/tls/certs/ca-bundle.crt)
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_realm = PUNE.IBM.COM
   default_ccache_name = KEYRING:persistent:%{uid}
[realms]
  PUNE.IBM.COM = {
     kdc = 10.0.210.222:88
     admin_server = 10.0.210.222:749
  }
[domain_realm]
  .IBM.com = PUNE.IBM.COM
  IBM.com = PUNE.IBM.COM

验证

  • 验证客户端设置: 

    [root@host ~]# kinit admin/admin

Password for admin/admin@PUNE.IBM.COM:
[root@ceph-mani-o7fdxp-node5 ~]# klist
Ticket cache: KCM:0
Default principal: admin/admin@PUNE.IBM.COM

Valid starting     Expires            Service principal
10/25/23 08:49:12  10/26/23 08:49:08  krbtgt/PUNE.IBM.COM@PUNE.IBM.COM
  renew until 10/25/23 08:49:12

11.14.3. NFS 特定的 Kerberos 设置

您需要为 NFS 服务器和客户端创建服务主体。对应的密钥存储在 keytab 文件中。需要这些主体来设置 GSS_RPCSEC 所需的初始安全上下文。这些服务主体的格式如 nfs/@REALM。您可以将 /etc/krb5.conf 文件从工作系统复制到 Ceph 节点。

流程

  1. 为该主机创建服务主体: 

    [root@host ~]# kinit admin/admin

Password for admin/admin@PUNE.IBM.COM:
[root@host ~]# kadmin
Authenticating as principal admin/admin@PUNE.IBM.COM with password.
Password for admin/admin@PUNE.IBM.COM:
kadmin:  addprinc -randkey nfs/<hostname>.ibm.com
No policy specified for nfs/<hostname>.ibm.com@PUNE.IBM.COM; defaulting to no policy
Principal "nfs/<hostname>.ibm.com@PUNE.IBM.COM" created.

  2. 在 keytab 文件中添加密钥:

    注意

    在这一步中,您已在 NFS 服务器上并使用 kadmin 接口。在这里,keytab 操作反映了 NFS 服务器的 keytab。 

    kadmin:  ktadd nfs/<hostname>.ibm.com

Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type camellia256-cts-cmac added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type camellia128-cts-cmac added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com with kvno 2, encryption type arcfour-hmac added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
kadmin:
  3. 在运行 NFS Ganesha 容器以及所有 NFS 客户端的所有 Ceph 节点上,运行第 1 和 2 步。

11.14.4. NFS Ganesha 容器设置

按照以下步骤在 Ceph 环境中配置 NFS Ganesha 设置。

流程

  1. 检索现有的 NFS Ganesha 容器配置: 

    [ceph: root@host /]# ceph orch ls --service-type nfs --export

service_type: nfs
service_id: c_ganesha
service_name: nfs.c_ganesha
placement:
  hosts:
  - host1
  - host2
  - host3
spec:
  port: 2049

  2. 修改容器配置,以传递 /etc/krb5.conf/etc/krb5.keytab' 文件到主机上的容器。这些文件在运行时由 NFS Ganesha 引用,以验证传入的服务票据并保护 Ganesha 和 NFS 客户端(krb5p)之间的通信。 

    [root@host ~]# cat nfs.yaml

service_type: nfs
service_id: c_ganesha
service_name: nfs.c_ganesha
placement:
  hosts:
  - host1
  - host2
  - host3
spec:
  port: 2049
extra_container_args:
  - "-v"
  - "/etc/krb5.keytab:/etc/krb5.keytab:ro"
  - "-v"
  - "/etc/krb5.conf:/etc/krb5.conf:ro"

  3. 在 cephadm shell 中提供修改后的 nfs.yaml 文件: 

    [root@host ~]# cephadm shell --mount nfs.yaml:/var/lib/ceph/nfs.yaml

Inferring fsid ff1c1498-73ec-11ee-af38-fa163e9a17fd
Inferring config /var/lib/ceph/ff1c1498-73ec-11ee-af38-fa163e9a17fd/mon.ceph-msaini-qp49z7-node1-installer/config
Using ceph image with id 'fada497f9c5f' and tag 'ceph-7.0-rhel-9-containers-candidate-73711-20231018030025' created on 2023-10-18 03:03:39 +0000 UTC
registry-proxy.engineering.ibm.com/rh-osbs/rhceph@sha256:e66e5dd79d021f3204a183f5dbe4537d0c0e4b466df3b2cc4d50cc79c0f34d75

  4. 验证该文件是否有所需的更改: 

    [ceph: root@host /]# cat /var/lib/ceph/nfs.yaml

service_type: nfs
service_id: c_ganesha
service_name: nfs.c_ganesha
placement:
  hosts:
  - host1
  - host2
  - host3
spec:
  port: 2049
extra_container_args:
  - "-v"
  - "/etc/krb5.keytab:/etc/krb5.keytab:ro"
  - "-v"
  - "/etc/krb5.conf:/etc/krb5.conf:ro"

  5. 将所需的更改应用到 NFS Ganesha 容器并重新部署容器: 

    [ceph: root@host /]# ceph orch apply -i /var/lib/ceph/nfs.yaml

Scheduled nfs.c_ganesha update...
[ceph: root@ceph-msaini-qp49z7-node1-installer /]# ceph orch redeploy nfs.c_ganesha
Scheduled to redeploy nfs.c_ganesha.1.0.ceph-msaini-qp49z7-node1-installer.sxzuts on host 'ceph-msaini-qp49z7-node1-installer'
Scheduled to redeploy nfs.c_ganesha.2.0.ceph-msaini-qp49z7-node2.psuvki on host 'ceph-msaini-qp49z7-node2'
Scheduled to redeploy nfs.c_ganesha.0.0.ceph-msaini-qp49z7-node3.qizzvk on host 'ceph-msaini-qp49z7-node3'

  6. 验证重新部署的服务是否有所需的更改: 

    [ceph: root@host /]# ceph orch ls --service-type nfs --export

service_type: nfs
service_id: c_ganesha
service_name: nfs.c_ganesha
placement:
  hosts:
  - ceph-msaini-qp49z7-node1-installer
  - ceph-msaini-qp49z7-node2
  - ceph-msaini-qp49z7-node3
extra_container_args:
- -v
- /etc/krb5.keytab:/etc/krb5.keytab:ro
- -v
- /etc/krb5.conf:/etc/krb5.conf:ro
spec:
  port: 2049

  7. 将导出定义修改为具有 krb5*(krb5、krb5i、krb5p) 安全类型:

    注意

    在完成上述设置后,您可以创建这样的导出。 

    [ceph: root@host /]# ceph nfs export info c_ganesha /exp1

{
  "access_type": "RW",
  "clients": [],
  "cluster_id": "c_ganesha",
  "export_id": 1,
  "fsal": {
    "fs_name": "fs1",
    "name": "CEPH",
    "user_id": "nfs.c_ganesha.1"
  },
  "path": "/volumes/_nogroup/exp1/81f9a67e-ddf1-4b5a-9fe0-d87effc7ca16",
  "protocols": [
    4
  ],
  "pseudo": "/exp1",
  "sectype": [
    "krb5"
  ],
  "security_label": true,
  "squash": "none",
  "transports": [
    "TCP"
  ]
}

11.14.5. NFS 客户端操作

以下是 NFS 客户端可以实施的一些操作。

流程

  1. 创建服务主体: 

    kadmin:  addprinc -randkey nfs/<hostname>.ibm.com@PUNE.IBM.COM
No policy specified for nfs/<hostname>.ibm.com@PUNE.IBM.COM; defaulting to no policy
Principal "nfs/<hostname>.ibm.com@PUNE.IBM.COM" created.
kadmin:  ktadd nfs/<hostname>.ibm.com@PUNE.IBM.COM
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type aes128-cts-hmac-sha256-128 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).
Entry for principal nfs/<hostname>.ibm.com@PUNE.IBM.COM with kvno 2, encryption type arcfour-hmac added to keytab [FILE:/etc/krb5.keytab](file:///etc/krb5.keytab).

  2. 重启 rpc.gssd 服务,使修改/新的 keytab 文件生效: 

    # systemctl restart rpc-gssd

  3. 挂载 NFS 导出:

    语法

    [root@host ~]# mount -t nfs -o vers=4.1,port=2049 <IP>:/<export_name> >mount_point>

    Example

    mount -t nfs -o vers=4.1,port=2049 10.8.128.233:/ganesha /mnt/test/

  4. 创建用户。挂载 NFS 导出后,常规用户将用于处理挂载的导出。这些常规用户(通常是系统上的本地用户,或者来自 LDAP/AD 等集中式系统的用户)需要是 Kerberos 设置的一部分。根据设置类型,还需要在 KDC 中创建本地用户。

11.14.6. 验证设置

按照以下步骤验证设置。

流程

  • 以普通用户身份访问导出,没有 Kerberos 票据: 

    [user@host ~]$ klist

klist: Credentials cache 'KCM:1001' not found

[user@host ~]$ cd /mnt
-bash: cd: /mnt: Permission denied

  • 以普通用户身份使用 Kerberos 票据访问导出: 

    [user@host ~]$ kinit sachin

Password for user@PUNE.IBM.COM:

[user@host ~]$ klist
Ticket cache: KCM:1001
Default principal: user@PUNE.IBM.COM

Valid starting     Expires            Service principal
10/27/23 12:57:21  10/28/23 12:57:17  krbtgt/PUNE.IBM.COM@PUNE.IBM.COM
  renew until 10/27/23 12:57:21

[user@host ~]$ cd /mnt

[user@host mnt]$ klist

Ticket cache: KCM:1001
Default principal: user@PUNE.IBM.COM

Valid starting     Expires            Service principal
10/27/23 12:57:21  10/28/23 12:57:17  krbtgt/PUNE.IBM.COM@PUNE.IBM.COM
renew until 10/27/23 12:57:21
10/27/23 12:57:28  10/28/23 12:57:17  nfs/ceph-msaini-qp49z7-node1-installer.ibm.com@
renew until 10/27/23 12:57:21
Ticket server: nfs/ceph-msaini-qp49z7-node1-installer.ibm.com@PUNE.IBM.COM
注意

注意:客户端上观察 nfs/ 服务的 Tickets。

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.