2017年8月19日土曜日

Vagrantを使用して、Kerberosサーバを構築する

以下のVagrantfileを使用して、Kerberosサーバを構築できます。 Vagrantfile

VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "bento/centos-7.3"
  config.vm.hostname = "krb5server.vm.internal"
  config.vm.provider :virtualbox do |vbox|
     vbox.name = "krb5server"
     vbox.cpus = 4
     vbox.memory = 8192
     vbox.customize ["modifyvm", :id, "--nicpromisc2","allow-all"]
  end
  # private network
  config.vm.network "private_network", ip: "192.168.55.87", :netmask => "255.255.255.0"
  # bridge netwrok
  config.vm.network "public_network", ip: "192.168.1.87", :netmask => "255.255.255.0"
  config.vm.network "forwarded_port", guest:22, host:18022, id:"ssh"
  config.vm.provision "shell", inline: <<-SHELL

# havegedのインストール
yum -y install epel-release
yum -y install haveged
systemctl enable haveged.service
systemctl start haveged.service

# kerberosインストール
yum -y install krb5-server krb5-workstation pam_krb5

# chrony設定
echo 'allow 192.168.1/24' >> /etc/chrony.conf
echo 'allow 192.168.55/24' >> /etc/chrony.conf

systemctl enable chronyd.service
systemctl start chronyd.service

# kdc.conf/kerb5/conf設定
sed -i -e 's/EXAMPLE.COM/VM.INTERNAL/g' /var/kerberos/krb5kdc/kdc.conf

kdb5_util create -r VM.INTERNAL -s -P admin

sed -i -e 's/# default_realm = EXAMPLE.COM/default_realm = VM.INTERNAL/' /etc/krb5.conf
sed -i -e 's/ default_ccache_name/#default_ccache_name/' /etc/krb5.conf
sed -i -e 's/\\[realms\\]/#[realms]/' /etc/krb5.conf
sed -i -e 's/\\[domain_realm\\]/#[domain_realm]/' /etc/krb5.conf

echo '' >> /etc/krb5.conf
echo '[realms]' >> /etc/krb5.conf
echo 'VM.INTERNAL = {' >> /etc/krb5.conf
echo '  kdc = krb5server.vm.internal' >> /etc/krb5.conf
echo '  admin_server = krb5server.vm.internal' >> /etc/krb5.conf
echo '}' >> /etc/krb5.conf
echo '' >> /etc/krb5.conf
echo '[domain_realm]' >> /etc/krb5.conf
echo '.vm.internal = VM.INTERNAL' >> /etc/krb5.conf
echo 'vm.internal = VM.INTERNAL' >> /etc/krb5.conf

sed -i -e 's/^/#/' /var/kerberos/krb5kdc/kadm5.acl
echo '*/admin@VM.INTERNAL *' >> /var/kerberos/krb5kdc/kadm5.acl

kadmin.local addprinc -pw "admin" root/admin

systemctl enable krb5kdc
systemctl start krb5kdc
systemctl enable kadmin
systemctl start kadmin

# ホスト追加
kadmin.local addprinc -randkey host/krb5server.vm.internal
kadmin.local ktadd host/krb5server.vm.internal

# ユーザ追加
useradd test
kadmin -p root/admin -w admin addprinc -pw test test
#kadmin.local ktadd  -norandkey -k /etc/krb5.keytab test
kadmin.local ktadd  -norandkey test
kadmin.local xst -norandkey -k test.keytab test@VM.INTERNAL


# sshd/ssh設定
echo 'KerberosAuthentication yes' >> /etc/ssh/sshd_config
sed -i -e 's/GSSAPIAuthentication no/GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i -e 's/GSSAPICleanupCredentials no/GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config

echo 'Host *.vm.internal' >> /etc/ssh/ssh_config
echo '  GSSAPIAuthentication yes' >> /etc/ssh/ssh_config
echo '  GSSAPIDelegateCredentials yes' >> /etc/ssh/ssh_config
authconfig --enablekrb5 --update
systemctl restart sshd


SHELL
end
関連情報
Vagrantを使用してkerberos化した1ノードクラスタのhive環境を構築する

0 件のコメント:

コメントを投稿